Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inconsistency in search results with time settings?

bo2057
Loves-to-Learn
‎10-24-2022 02:25 AM

Hello, 

    | transaction RRN keepevicted=t | search date_hour <6

If I execute this search with a specific date(10-10-2022) I get 5 events.

 If I execute this search with preset "all-time" I get no results.

If I execute this search with preset "last 30 days"  I get no results.

All searches done in verbose mode.

Why don't I get results with preset "all-time" and/or " last 30 days"

Thanks

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-24-2022 03:06 AM

Hi @bo2057,

it's a strange behavior, did you use the same Search Mode=Verbose in all the tests?

Anyway, if possible avoid to use the transaction command that's very slow, and try to use stats, something like this:

<your_search>
| stats min(date_hour) AS date_hour BY RRN 
| search date_hour<6

Ciao.

Giuseppe

0 Karma
Reply

bo2057
Loves-to-Learn
‎10-24-2022 04:23 AM

Hi Giuseppe,

Yes all searches were done in verbose mode. Using stats in no option because I have to concatenate 3 events into 1.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...