Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Issue at selection with Time Range picker

krusty
Contributor
‎07-19-2018 02:40 AM

Hi,

we use in our environment (indexer cluster, searchhaed/deployment server) Splunk enterprise version 7.1.1.
If we do a search like this

index="test" host="testserver" | sort 0 _time

Over the last 7 days we are not able to show only some events which we select with the time range picker.

Does anybody know why this issue only appears if we use

| sort 0 _time

in our search? If we do not use this, we are able to pick a time range from the picker.
But then the events are not sorted and not really usable.

Tags (1)
0 Karma
Reply

HiroshiSatoh
Champion
‎07-19-2018 05:29 AM

Is not shortage of resources?
Has an error been output(search.log)?
What happens when you narrow down the fields?

index="test" host="testserver" |fields _time,(fields you use)| sort 0 _time
0 Karma
Reply

krusty
Contributor
‎07-20-2018 06:34 AM

No error is been reported in any logfile.

If I use

index="test" host="testserver*" 
|  fields _time, raw 
| sort 0 _time

in the search field and search for the last 7 days. I got 10434 events. Then I choose a timeframe from the time picker and at the bottom of the page I didn't see any events, but the page show below the search field that I selected 394 events.

Unfortunately I couldn't upload an example, otherwise you could see what I mean.

0 Karma
Reply

HiroshiSatoh
Champion
‎07-20-2018 10:32 AM

About 10,000 things will not result in memory shortage. 394 cases are not displayed but are the correct number of cases?

It does not reproduce in my environment. Check the search.log and check warnings and errors.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...