Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Performance check- How can I check why I'm not getting any results?

NizanCohen
Explorer
‎11-02-2022 01:01 AM

Hi all.

I use Splunk on my workplace and recently I feel like it's performance is decreasing. Basic search queries like my username or email address would provide results, now it wouldn't.

Doesn't matter the time frame I choose, zero events.

I was told that an app called "estreamer" was down and one of the infrastructure worker fixed it and claimed to restore all missing data. It was last Thursday. Sadly, he's not familiar with this system so I need to address the issue when I talk with him.

Today, I still cannot search these basic strings, it gives zero events.

 

Any idea how I check what's wrong so I can tell the infra worker to fix certain issue/index/app?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-02-2022 01:26 AM

Hi @NizanCohen,

are you using the estreamer TA (https://splunkbase.splunk.com/app/3662) from splunkbase?

So, pleasae, check if you have today's events in the 11th of february.

If you have today's events with timestamp of 11th of february means that you have a wrong timestamp recognition that you can solve using an add-on from splunkbase or setting the TIME_FORMAT on your indexers or (if present) Heavy Forwarders.

Ciao.

Giuseppe

0 Karma
Reply

NizanCohen
Explorer
‎11-02-2022 05:34 AM

Not sure about the app, I don't find it on the upper left "app" menu.

But, if I search for index=estreamer I get events..

 

Other question, how can I search an index that was recently stopped being used? maybe that will give me the needed information.. even though, searching the basic string with "all time" would not return anything..

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-02-2022 06:13 AM

Hi @NizanCohen,

you cannot find this app in the app list because it isn't visible, so you have to search it in [Apps > manage Apps].

About the estreamer problem, is it solved or not?

if yes, please accept one answer for the other people of Community.

About the other question, don't add a new question to another one, because in this way, less people will help you, it's always better to open a new Question.

Anyway, if you search index=<your_index> and you don't have any event with "All Time", this means that you haven't any event on that index, so you cannot search anything.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply

NizanCohen
Explorer
‎11-02-2022 06:16 AM

No, I cannot find the estreamer app in "manage apps".

Any other idea why I experience this issue?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-02-2022 06:22 AM

Hi @NizanCohen,

as I said, you need an app or an add-on to parse your logs, so you have two solutions:

  • install one add-on from Splunkbase (e.g. the one I hinted),
  • create your own parsing rules.

if your problem is only timestamp, you could add TIME_FORMAT to your sourcetyoe and quickly solve your need, otherwise, it's easier to install a TA from Splunkbase.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...