Splunk Search

Why are there no results found in a search while exploring the search tutorial?

rogue_carrot
Communicator

Hello Team Splunk,

I am following the simple search tutorial featuring logs in zip files from the fictitious company, "Buttercup Games". The problem is after 1) uploading the zip files, 2) viewing the sources in the data summary, and then 3) clicking on the source I do not 4) see any data in the search. This seems like I am missing something very important. So I wanted to check in with you all to see if you could help me figure out what is going wrong. Figure 1 below shows that there are no results in a search when there should be. Figure 2 shows that there are over thirty-thousand things in the log file that should probably appear in the search. What am I missing?

No results in a search for the vendor_sales.log in the tutorialdata.zip file. Error detected.
Figure 1: No results

30 thousand plus count for vendor_sales.log file in sources view of data summary.
Figure 2: 30K plus count for vendor_sales.log file - why doesn't anything show up in a search

The tutorial I am following is at the following URL: http://docs.splunk[dot]com/Documentation/Splunk/7.1.1/SearchTutorial/Aboutthesearchapp#

Thank-you for reading this.

0 Karma
1 Solution

rogue_carrot
Communicator

I figured out my problem. 🙂 Feels great...

In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂

Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.
alt text

View solution in original post

0 Karma

rogue_carrot
Communicator

I figured out my problem. 🙂 Feels great...

In the time selector the search was looking for the Last 24 hours. I changed this to search All time and behold my data was there! Or my events were there, or whatever that stuff is that should be there but was not earlier that necessitated this question. 🙂

Please see the screenshot that follows. Pay attention to the "All time" in the drop down to the left of the magnifine glass symbol. I think someone should update the tutorial for the Splunk noob trying to find their way through the stress of trying to scale a learning curve.
alt text

0 Karma

adonio
Ultra Champion

you need to add index = <your_index> or index=* before your search
the administrator, that has admin role, does not have indexes search by default defined in its role

hope it helps

rogue_carrot
Communicator

I tried specifying an index with the wildcard, index=*, but this did not change anything. Still there are no results in the search. 😕 Please see the following screenshot.
alt text

0 Karma

niketn
Legend

@rogue_carrot also it would be better to unzip the log files to a folder and Monitor entire Folder using Splunk.

Once you have added the complete folder Splunk will give you an option to Start Searching, which will build the required query based on settings during Add Data Wizard.

http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/GetthetutorialdataintoSplunk#Use_t...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...