Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search with result shows No results Found error after 100% completion of the search

paramagurukarth
Builder
‎05-26-2015 06:20 AM

My search shows results when it is executing..
But after 100% completion of the search all the listed records are disappeared and "No records found error" is Displayed.
Please guide me how to find the issue..

Reply

woodcock
Esteemed Legend
‎06-06-2015 07:54 AM

This is somewhat normal if you are piping to many "rolling up"-type commands (e.g. stats) because Splunk is designed to give you preliminary (NOT PARTIAL) results along the way while your search is processing. Normally this is very useful but in some cases like yours, it can be misleading and confusing. Such complicated searches also may take a while to finalize so that is normal, too. You should never forget that any search may show preliminary results that are later properly vacated using the plenary results in the finalization stage. If you believe that you should have results, then you almost certainly have a mistake in your search string. To find the mistake, throw away each post-pipe clause, one by one, starting from the right side and make sure at each stage that the preliminary stages' results look the way they should. As the others have said, we really cannot tell more without your exact search and some real sample data.

0 Karma
Reply

intelsubham
Explorer
‎05-26-2015 09:46 AM

Please share your search.
Also for finding issue, try to run your query in small parts,
like if your query is index=abc sourcetype=xyz | <part1> | <spart2> | stats <somefunction> by <field>
so first run normally before part 1 then with part 2 , this will help you in determining which part is creating issue.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-26-2015 08:47 AM

One of your later search commands is processing your events and coming up with no results. What is your search?

---
If this reply helps you, Karma would be appreciated.
Reply

paramagurukarth
Builder
‎05-27-2015 04:14 AM

Yes... You are both @intelsubham and @richgalloway are correct..
I am getting zero results due to a custom command in my query.
(Splunk docs.. says python custom command will returns only 50000 records.... and the last 50000 records are filtered by my query condition)..

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎05-26-2015 09:20 AM

does it show "results" while executing or are you just seeing events returned? - And yes. we need to see your search.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...