Hi Community,
I've been using Splunk enterprise search and reporting since a month now and now when I try to search with the same old query which worked previously, the results doesn't even shows up. All i get is "No results found. Try expanding the time range." but I'm using time range of last 30 days.
Can anyone please help me with this?
Thanks,
Sid
you have earliest hardcoded in your search bar and it's set to 15min. when you remove that and broaden your search to 30d, does that help at all?
have you checked that field extractions are working properly? you have User=*, but it could be that something happened that the field extractions are broken somewhere? try just the index=uam
(I also noticed that in one comment you put iam
and another you put uam
, so just double check for any typos) for a broader range and see the last time data came through (you can also use the |tstats
trick that @mydog8it suggests, but I might add |tstats max(_time) as max_time max(_indextime) as max_indextime where index=uam|convert ctime(max_time) ctime(max_indextime)
in order to get the last time and indextime for that index) . If you see that data has come in within the last 15 minutes or so, shorten your time frame and do index=uam|fieldsummary
to see what fields are being extracted.
you have earliest hardcoded in your search bar and it's set to 15min. when you remove that and broaden your search to 30d, does that help at all?
have you checked that field extractions are working properly? you have User=*, but it could be that something happened that the field extractions are broken somewhere? try just the index=uam
(I also noticed that in one comment you put iam
and another you put uam
, so just double check for any typos) for a broader range and see the last time data came through (you can also use the |tstats
trick that @mydog8it suggests, but I might add |tstats max(_time) as max_time max(_indextime) as max_indextime where index=uam|convert ctime(max_time) ctime(max_indextime)
in order to get the last time and indextime for that index) . If you see that data has come in within the last 15 minutes or so, shorten your time frame and do index=uam|fieldsummary
to see what fields are being extracted.
Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.
Would be beneficial posting a sample of the search you're using. This will usually happen in two cases:
1. No data is available (perhaps no new data was indexed since it last worked or even the retention of the data you're looking for already deleted the old data)
2. The field transformations you were using were changed and you cannot filter anymore the data (in this case I recommend you start cutting the search query you were using to make sure you're matching something, let's say for example you were using this search: index=abc sourcetype=abc event=filtered | start count by host
, you can search for only index=abc that should give you an idea if you really have data there and the problem is not your query
Hi,
Thanks for the reply, as you said to cut down the search to only index, i'm still now able to see any data. I'm pretty much sure that data is being indexed as i can see it on my server logs.
eg: index="iam" User="*" ----> Using this also wont show me any data
The query I'm using is this
index="uam" User="*" earliest=-15m latest=now| rename date_hour AS Hour date_mday AS Day date_minute AS Minute date_month AS Month date_second AS Second date_wday AS WeekDay date_year AS Year date_zone AS TimeZone | fields _time Year Month Day WeekDay Hour Minute Second TimeZone host User _raw | dedup _time
Thanks,
Sid
Try removing the hardcoded earliest=-15m latest=now
as this overwrites the time you choose on the time picker
Did the same, still not able to get results. Need to contact my Splunk admin with the issue. Thanks for the help.
Try running this to see what indexes are being populated:
|tstats count where index=* by index
Use the past 24 hours in time picker.
This will show any index being written to in your environment. Verify that you see the index you desire to query in the results.
Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.