Solved: Re: Search Data 1 Minute Ago

mathiasy123 · ‎07-03-2020

I have data that has _time from 18:00:20-18:00:52 and I set my current time to 18:01 so it should search the 18:00 time, why is it not working (display an empty result)? It should display the data from 18:00:20-18:00:52.

this is my search:

to4kawa · ‎07-03-2020

your search has no result. your index or source are correct?

View solution in original post

to4kawa · ‎07-03-2020

index=_internal earliest=-1m latest=@m | stats min(_time) as A max(_time) as B count | convert ctime(A) ctime(B) |addinfo | foreach *time [ eval <<FIELD>>=strftime('<<FIELD>>',"%T")]

Maybe we should unify with @.

mathiasy123 · ‎07-03-2020

Hi @to4kawa

It displayed this one:

what happens?

to4kawa · ‎07-03-2020

your search has no result. your index or source are correct?

mathiasy123 · ‎07-08-2020

@to4kawa

Hi, I finally found my mistake, it seems my _time was wrong, so the search returns an empty result, big thanks!

to4kawa · ‎07-08-2020

good job @mathiasy123 happy splunking!

mathiasy123 · ‎07-03-2020

How to check if my index and source are correctly?

to4kawa · ‎07-03-2020

check data summary on search

mathiasy123 · ‎07-07-2020

@to4kawa

How to do it ?

to4kawa · ‎07-07-2020

click "Data Summary"

mathiasy123 · ‎07-07-2020

@to4kawa

Okay, let me try it.

Search Data 1 Minute Ago

fields

other

subsearch

table

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms