Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are there no results found in a search while exploring the search tutorial?

rogue_carrot
Communicator
‎06-23-2018 01:40 PM

Hello Team Splunk,

I am following the simple search tutorial featuring logs in zip files from the fictitious company, "Buttercup Games". The problem is after 1) uploading the zip files, 2) viewing the sources in the data summary, and then 3) clicking on the source I do not 4) see any data in the search. This seems like I am missing something very important. So I wanted to check in with you all to see if you could help me figure out what is going wrong. Figure 1 below shows that there are no results in a search when there should be. Figure 2 shows that there are over thirty-thousand things in the log file that should probably appear in the search. What am I missing?

No results in a search for the vendor_sales.log in the tutorialdata.zip file. Error detected.
Figure 1: No results

30 thousand plus count for vendor_sales.log file in sources view of data summary.
Figure 2: 30K plus count for vendor_sales.log file - why doesn't anything show up in a search

The tutorial I am following is at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/SearchTutorial/Aboutthesearchapp#

Thank-you for reading this.

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rogue_carrot
Communicator
‎06-24-2018 06:55 PM

I figured out my problem. 🙂 Feels great...

In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂

Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.
alt text

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

rogue_carrot
Communicator
‎06-24-2018 06:55 PM

I figured out my problem. 🙂 Feels great...

In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂

Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.
alt text

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-23-2018 02:29 PM

you need to add index = <your_index> or index=* before your search
the administrator, that has admin role, does not have indexes search by default defined in its role

hope it helps

Reply
Solved! Jump to solution

rogue_carrot
Communicator
‎06-24-2018 06:37 PM

I tried specifying an index with the wildcard, index=*, but this did not change anything. Still there are no results in the search. 😕 Please see the following screenshot.
alt text

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎06-23-2018 11:29 PM

@rogue_carrot also it would be better to unzip the log files to a folder and Monitor entire Folder using Splunk.

Once you have added the complete folder Splunk will give you an option to Start Searching, which will build the required query based on settings during Add Data Wizard.

http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk#Use_t...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...