The following Search command:
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
results to only 1000 events. A bang displays the following message:
"Currently displaying the most recent 1000 events in the selected range. Select a narrower range or zoom in to see more events"
Objective: to see all events in the last 24 hours .
What was the time range selected in the timerange picker. Meanwhile, try this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h
in the Events tab. I normally would like to see all errors for the last 24 hours. I browse through these to see if anything critical has occurred.
At the end of your search add this:
| table *
This will cause splunk to return "results" instead of "events", and the restriction will be removed.
You can use a more specific table, or any aggregating command to get the same result.,This has to do with the difference between "events" and "results." For performance, splunk will only pull the first 1000 events back to the SH, but this restriction does not apply to results.