Issue at selection with Time Range picker

krusty · ‎07-19-2018

Hi,

we use in our environment (indexer cluster, searchhaed/deployment server) Splunk enterprise version 7.1.1.
If we do a search like this

index="test" host="testserver" | sort 0 _time

Over the last 7 days we are not able to show only some events which we select with the time range picker.

Does anybody know why this issue only appears if we use

| sort 0 _time

in our search? If we do not use this, we are able to pick a time range from the picker.
But then the events are not sorted and not really usable.

HiroshiSatoh · ‎07-19-2018

Is not shortage of resources?
Has an error been output(search.log)?
What happens when you narrow down the fields?

index="test" host="testserver" |fields _time,(fields you use)| sort 0 _time

krusty · ‎07-20-2018

No error is been reported in any logfile.

If I use

index="test" host="testserver*" 
|  fields _time, raw 
| sort 0 _time

in the search field and search for the last 7 days. I got 10434 events. Then I choose a timeframe from the time picker and at the bottom of the page I didn't see any events, but the page show below the search field that I selected 394 events.

Unfortunately I couldn't upload an example, otherwise you could see what I mean.

HiroshiSatoh · ‎07-20-2018

About 10,000 things will not result in memory shortage. 394 cases are not displayed but are the correct number of cases?

It does not reproduce in my environment. Check the search.log and check warnings and errors.

Issue at selection with Time Range picker

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...