Why are indexed real-time searches not returning r...

wishkres · ‎03-30-2022

I have a Splunk Enterprise cluster (version 8.1.3) that for some reason, is not returning any results for indexed real-time searches, but regular searches and regular real-time searches work just fine.

When I have my search app configured with indexed_realtime_use_by_default = false, my real time searches return fine. When indexed_realtime_use_by_default is true, it returns no data for the same search.

If I change the search from a real time search to any sort of historical search, I also get search results, including over the same time period my real time search is running.

Does anyone have any suggestions what I should look into?

BahadirS · ‎03-30-2022

Maybe there is a problem in your index time field extractions.

wishkres · ‎03-31-2022

@BahadirS Thanks! I've looked at the values of _time and _indextime on those events and it looks correct to me... Is there someplace else I should check?

Why are indexed real-time searches not returning results?

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Why are indexed real-time searches not returning results?

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025