Splunk Search

Why does it say there are events but then it says "No results found"?

frizzoS3
New Member

After running a search, I have the below results:
112,471 events (9/20/17 2:00:00.000 PM to 9/21/17 2:10:07.000 PM

But when I click on the Events tab, I see this: No results found. even though the search is in verbose mode.

How can I review those 112,471 events?

0 Karma

louismai
Path Finder

I have the same issue. The search string run in Verbose mode in Search app, but it didn't run in dashboard. s_hostname is seach-time field extraction.
index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"| top limit=20 s_hostname

0 Karma

DavidHourani
Super Champion

Hi @louismai, run index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"first and see if you get any s_hostname. The number of results is simply the number of events that were returned, doesn't mean that they have a valid s_hostname value.

bdmeyersc
Engager

I'm surprised that no one answered this question since 2017. (I'm going to be asking the same one, phrased a bit differently, if I can't find an answer here)

0 Karma

DavidHourani
Super Champion

answer is in the comments ^^ " tstats will not display events , it will display your output in statistics only. "

0 Karma

somesoni2
Revered Legend

What's your search?

0 Karma

frizzoS3
New Member

| tstats summariesonly max(_time) as _time,values(All_Traffic.src_category) as src_category,values(All_Traffic.dest_category) as dest_category,count from datamodel=Network_Traffic.All_Traffic by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port | drop_dm_object_name("All_Traffic") | is_traffic_prohibited(dest_port) | search (is_prohibited!="false" OR is_secure!="unknown") | fields _time,src,src_category,dest,dest_category,transport,dest_port,is_prohibited,is_secure

0 Karma

Ash
Engager

What should be modified in the search to display the events in Verbose mode

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

tstats will not display events , it will disply your output in statistics only.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...