Splunk Search

Search shows no results but there is 1 count

angersleek
Path Finder

I have a list of services named Service1, Service2, Service3, Service4.

When I do a search as follows over past 60 mins, I am able to get results:

Search String:
service=Service* 

Selected Field Results: 
Values       Count         %
Service1     90            90
Service2     5              5
Service3     4              4
Service4     1              1

I am only interested in Service4 thus I do the following search expecting to see the logs for that 1 count.

Search String:
service=Service4

I get results as "No results found. Try expanding the time range."

Why am I not able to get the results for Service4 when there is a count?

Note the following please:

  1. Issue is not with the search String. If I do an extended search over 24 hours, I am able to get results when the count is 100+.
  2. Issues is likely not with the low count either. I am able to get results when I do a search for Service3 which has a lower count than Service2. But Service 2 returns the same error "No results found. Try expanding the time range."
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

0 Karma

angersleek
Path Finder

Able to capture it with this added to query. Thank you. Would you like to add this as an answer?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Great to hear!

I've converted this to an answer. Please accept/upvote

0 Karma

kmaron
Motivator

is there extra whitespace you're not accounting for when you use a literal instead of a wildcard?

somesoni2
Revered Legend

I second that. If not all, there may be few events which may have trailing spaces at the end of the field. Try running your service2 and service4 searches with a wildcard at the end. If it returns result as expected, you've a trailing space.

service=Service4*
0 Karma

angersleek
Path Finder

Tried as suggested but same outcome.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...