- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I search | eventcount summarize=false index=index3 the answer is count : 32339388
If I search index=index3 182154 event events are count with empty days 42 days before the last days.
I've made 2 changes before to have this behavior :
- upgrade to 7.1
- go from a free license to a dev licence on my lab machine.
of course i'm on "all-time" period (or hope to be, because it's look like I'm not)
thank's for your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I've found the limit : "Search auto-finalized after disk usage limit (0MB) reached. "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I've found the limit : "Search auto-finalized after disk usage limit (0MB) reached. "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you run both the query for all time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank's. Yes. I did it with the web interface. Is there a SPL command to include all time period ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use earliest=-100y latest=now
https://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/SearchTimeModifiers
