Splunk Search

Search shows no results but there is 1 count

Path Finder

I have a list of services named Service1, Service2, Service3, Service4.

When I do a search as follows over past 60 mins, I am able to get results:

Search String:
service=Service* 

Selected Field Results: 
Values       Count         %
Service1     90            90
Service2     5              5
Service3     4              4
Service4     1              1

I am only interested in Service4 thus I do the following search expecting to see the logs for that 1 count.

Search String:
service=Service4

I get results as "No results found. Try expanding the time range."

Why am I not able to get the results for Service4 when there is a count?

Note the following please:

  1. Issue is not with the search String. If I do an extended search over 24 hours, I am able to get results when the count is 100+.
  2. Issues is likely not with the low count either. I am able to get results when I do a search for Service3 which has a lower count than Service2. But Service 2 returns the same error "No results found. Try expanding the time range."
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

View solution in original post

0 Karma

Path Finder

Able to capture it with this added to query. Thank you. Would you like to add this as an answer?

0 Karma

SplunkTrust
SplunkTrust

Great to hear!

I've converted this to an answer. Please accept/upvote

0 Karma

Motivator

is there extra whitespace you're not accounting for when you use a literal instead of a wildcard?

Revered Legend

I second that. If not all, there may be few events which may have trailing spaces at the end of the field. Try running your service2 and service4 searches with a wildcard at the end. If it returns result as expected, you've a trailing space.

service=Service4*
0 Karma

Path Finder

Tried as suggested but same outcome.

0 Karma