Splunk Search

Taking Tutorial. Why are No Events Found?

NateFromAlbany
Observer

I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video.  I first run into trouble about two minutes in. I uploaded the logfile successfully and successfully set the source type as access_combined_wcookie. My Event Break and Timestamp settings are the same as what is shown in the video. But in the large viewing window to the right, mine says "No results found. In the video there are Times and Events in this pane. 

I thought that perhaps I just needed to follow all the steps through to see Times and events, so I created the new index, as per the tutorial, and submitted successfully. But then I got the same "No Results Found" message on the New Search screen. I should note that the only difference between me and the tutorial video is that in the bar underneath the words "New Search," the host = my computer's name instead of "thenson-desktop."

What do I need to do to see results?

Labels (1)
0 Karma

marnall
Motivator

What happens if you search:

index=*

...and set the time to "All Time"?

This search should get all non-hidden logs in your Splunk indexes. Hopefully you get logs from several sourcetypes, and you can click on the sourcetypes in the fields column on the list and hopefully find the one you specified when you onboarded your logs.

If your sourcetype does not appear, then it is likely that something went wrong with the onboarding.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to the right" is. Is it a real Splunk interface or some mockup? How are we supposed to know that?

0 Karma

NateFromAlbany
Observer

I'm using Splunk Enterprise, version 9.2.2, not a mockup.

I'm just using a logfile that I got from the Pluralsight website. 

I opened the file and looked at it before I uploaded it, and it appeared to be the same file being used in the training. The numbers in the file matched what I saw in the video.

After I clicked the submit button to upload the file, I got a "success" message, so I believe it worked, but is there some way to see the file after I uploaded it to make sure it's correct?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Ahh. OK. That wasn't clear. I thought that maybe there's some "practice" environment with that training.

Anyway, you can look for your data by doing either what @marnall said or do a quick summary

| tstats count min(_time) as earliest max(_time) as latest where index IN (*,_*) by index sourcetype
| convert ctime(earliest) ctime(latest)

to see when and where your data is.  (the underscore-beginning Splunk's internal indexes are just to show you what it should look like).

Run this search over All Time

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Check that the timeframe for the search covers the times your events have been timestamped with (or simply use all time).

0 Karma

NateFromAlbany
Observer

Thank you, but I am already using All Time. I've tried to follow the tutorial as closely as possible, and I think I've been successful in that, which is why this "No Results Found" is so confounding.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...