Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search shows no results but there is 1 count

angersleek
Path Finder
‎05-24-2018 08:32 AM

I have a list of services named Service1, Service2, Service3, Service4.

When I do a search as follows over past 60 mins, I am able to get results: 

Search String:
service=Service* 

Selected Field Results: 
Values       Count         %
Service1     90            90
Service2     5              5
Service3     4              4
Service4     1              1

I am only interested in Service4 thus I do the following search expecting to see the logs for that 1 count.

Search String:
service=Service4

I get results as "No results found. Try expanding the time range."

Why am I not able to get the results for Service4 when there is a count?

Note the following please:

  1. Issue is not with the search String. If I do an extended search over 24 hours, I am able to get results when the count is 100+.
  2. Issues is likely not with the low count either. I am able to get results when I do a search for Service3 which has a lower count than Service2. But Service 2 returns the same error "No results found. Try expanding the time range."
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎06-01-2018 10:07 AM

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎06-01-2018 10:07 AM

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

0 Karma
Reply
Solved! Jump to solution

angersleek
Path Finder
‎06-06-2018 04:29 AM

Able to capture it with this added to query. Thank you. Would you like to add this as an answer?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎06-06-2018 07:13 AM

Great to hear!

I've converted this to an answer. Please accept/upvote

0 Karma
Reply
Solved! Jump to solution

kmaron
Motivator
‎05-24-2018 09:34 AM

is there extra whitespace you're not accounting for when you use a literal instead of a wildcard?

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-24-2018 10:45 AM

I second that. If not all, there may be few events which may have trailing spaces at the end of the field. Try running your service2 and service4 searches with a wildcard at the end. If it returns result as expected, you've a trailing space.

service=Service4*
0 Karma
Reply
Solved! Jump to solution

angersleek
Path Finder
‎06-01-2018 09:30 AM

Tried as suggested but same outcome.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...