Re: Why are indexed real-time searches not returni...

wishkres · ‎03-30-2022

I have a Splunk Enterprise cluster (version 8.1.3) that for some reason, is not returning any results for indexed real-time searches, but regular searches and regular real-time searches work just fine.

When I have my search app configured with indexed_realtime_use_by_default = false, my real time searches return fine. When indexed_realtime_use_by_default is true, it returns no data for the same search.

If I change the search from a real time search to any sort of historical search, I also get search results, including over the same time period my real time search is running.

Does anyone have any suggestions what I should look into?

BahadirS · ‎03-30-2022

Maybe there is a problem in your index time field extractions.

wishkres · ‎03-31-2022

@BahadirS Thanks! I've looked at the values of _time and _indextime on those events and it looks correct to me... Is there someplace else I should check?

Why are indexed real-time searches not returning results?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

Why are indexed real-time searches not returning results?

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions