Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are indexed real-time searches not returning results?

wishkres
Explorer
‎03-30-2022 01:13 PM

I have a Splunk Enterprise cluster (version 8.1.3) that for some reason, is not returning any results for indexed real-time searches, but regular searches and regular real-time searches work just fine.

When I have my search app configured with indexed_realtime_use_by_default = false, my real time searches return fine. When indexed_realtime_use_by_default is true, it returns no data for the same search.

If I change the search from a real time search to any sort of historical search, I also get search results, including over the same time period my real time search is running.

Does anyone have any suggestions what I should look into?

Labels (1)
Labels
0 Karma
Reply

BahadirS
Path Finder
‎03-30-2022 02:29 PM

Maybe there is a problem in your index time field extractions. 

0 Karma
Reply

wishkres
Explorer
‎03-31-2022 08:30 AM

@BahadirS Thanks! I've looked at the values of _time and _indextime on those events and it looks correct to me... Is there someplace else I should check?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...