Search not showing all events

EricMueller0619 · ‎05-17-2018

Hi,

i do have the following problem:

index=atmo_pc sourcetype=SE10 Station=60

as you can see, my search is pretty basic. It is just a small part of a whole Dashboard, which depends on the selected Station. Furthermore events with Station=60 arent shown properly. Actually the result's 4 events if i press search (Year to date-Time-Picker).

if i modify the search like:

index=atmo_pc sourcetype=SE10 Station<61 Station>59

i receive more than 7000 events, which is the correct number of events.

So i cannot figure out why. I dont think it is a problem regarding the Field Extractions or any other settings. Is it a problem of the source? Thanks for any help!

Eric

EricMueller0619 · ‎05-17-2018

the problem is, i do not have access to $SPLUNK_HOME/bin and neither to the forwarder

i have to solve it (if possible) differently

kapilbk1996 · ‎05-17-2018

Try to restart indexer.
Run this command in $SPLUNK_HOME/bin

./splunk restart

In case you are using forwarder, restart forwarder as well.

mayurr98 · ‎05-17-2018

After hitting this search index=atmo_pc sourcetype=SE10 Station<61 Station>59 what values do you get in the field sidebar for Station field?

Do you get only 60?

EricMueller0619 · ‎05-17-2018

yes after running the search i only get 60 for Station, which is a number not a string

Search not showing all events

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Search not showing all events

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES