Splunk Search

Getting no events with Real Time searching vs getting events with Historical search. No new events appearing.

davidts
Path Finder

I have some Windows perfmon events being indexed every 60s. When I perform a 15min historical search I see all the events that I expect to see (15 events in total). However, If I perform a 15m Real Time search (rt-15m) I see the 15 past events as expected but I then do NOT see any new events that come in.

Every minute an event drops out of the results list as the 15m window slides to the current time, but no new events appear.

Splunk version: 5.0.2
Search: index=perfmon host= object=Processor counter="% Processor Time"

I am using the time picker to specify the search windows.

Tags (3)
1 Solution

Runals
Motivator

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

View solution in original post

0 Karma

davidts
Path Finder

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

0 Karma

Runals
Motivator

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

0 Karma

davidts
Path Finder

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...