- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why does it say there are events but then it s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why does it say there are events but then it says "No results found"?
After running a search, I have the below results:
112,471 events (9/20/17 2:00:00.000 PM to 9/21/17 2:10:07.000 PM
But when I click on the Events tab, I see this: No results found. even though the search is in verbose mode.
How can I review those 112,471 events?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same issue. The search string run in Verbose mode in Search app, but it didn't run in dashboard. s_hostname is seach-time field extraction.
index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"| top limit=20 s_hostname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @louismai, run index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"first and see if you get any s_hostname. The number of results is simply the number of events that were returned, doesn't mean that they have a valid s_hostname value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm surprised that no one answered this question since 2017. (I'm going to be asking the same one, phrased a bit differently, if I can't find an answer here)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
answer is in the comments ^^ " tstats will not display events , it will display your output in statistics only. "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What's your search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats summariesonly max(_time) as _time,values(All_Traffic.src_category) as src_category,values(All_Traffic.dest_category) as dest_category,count from datamodel=Network_Traffic.All_Traffic by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port | drop_dm_object_name("All_Traffic") | is_traffic_prohibited(dest_port) | search (is_prohibited!="false" OR is_secure!="unknown") | fields _time,src,src_category,dest,dest_category,transport,dest_port,is_prohibited,is_secure
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What should be modified in the search to display the events in Verbose mode
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tstats will not display events , it will disply your output in statistics only.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
