Splunk Search

Why does it say there are events but then it says "No results found"?

frizzoS3
New Member

After running a search, I have the below results:
112,471 events (9/20/17 2:00:00.000 PM to 9/21/17 2:10:07.000 PM

But when I click on the Events tab, I see this: No results found. even though the search is in verbose mode.

How can I review those 112,471 events?

0 Karma

louismai
Path Finder

I have the same issue. The search string run in Verbose mode in Search app, but it didn't run in dashboard. s_hostname is seach-time field extraction.
index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"| top limit=20 s_hostname

0 Karma

DavidHourani
Super Champion

Hi @louismai, run index=cisco_wsa sourcetype="cisco:wsa:w3c" s_hostname="*"first and see if you get any s_hostname. The number of results is simply the number of events that were returned, doesn't mean that they have a valid s_hostname value.

bdmeyersc
Engager

I'm surprised that no one answered this question since 2017. (I'm going to be asking the same one, phrased a bit differently, if I can't find an answer here)

0 Karma

DavidHourani
Super Champion

answer is in the comments ^^ " tstats will not display events , it will display your output in statistics only. "

somesoni2
Revered Legend

What's your search?

0 Karma

frizzoS3
New Member

| tstats summariesonly max(_time) as _time,values(All_Traffic.src_category) as src_category,values(All_Traffic.dest_category) as dest_category,count from datamodel=Network_Traffic.All_Traffic by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port | drop_dm_object_name("All_Traffic") | is_traffic_prohibited(dest_port) | search (is_prohibited!="false" OR is_secure!="unknown") | fields _time,src,src_category,dest,dest_category,transport,dest_port,is_prohibited,is_secure

0 Karma

Ash
Engager

What should be modified in the search to display the events in Verbose mode

0 Karma

harsmarvania57
Ultra Champion

tstats will not display events , it will disply your output in statistics only.

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...