Splunk Search

Why does the time range picker return events for Last 24 Hours, but not for Date and Time for the same time range?

Contributor

HI,

My search is
index=aa sourcetype=windows_server_hourly | rex field=host "(?[a-z0-9-]+).*" | eval "Server Name"=upper(shortname)|search "Server Name"="$Server Name$" counter="% Processor Time" | eval AVG=round(avg,2) | timechart span=1h values(AVG) AS AVG by "Server Name"
In SImple XML code :

  <label>Time Range</label>
  <default>
    <earliestTime>-24h</earliestTime>
    <latestTime>now</latestTime>
  </default>
</input>


<chart>
  <title>Processor Utilization</title>
  <searchString>
    <![CDATA[index=aa sourcetype=windows_server_hourly | rex field=host "(?<shortname>[a-z0-9-]+).*" | eval "Server Name"=upper(shortname)|search "Server Name"="$Server Name$" counter="% Processor Time" | eval AVG=round(avg,2) | timechart span=1h values(AVG) AS AVG by "Server Name"]]>
  </searchString>
  <earliestTime>$earliest$</earliestTime>
  <latestTime>$latest$</latestTime>

...
...

When I search Last 24 hours It shows the events. But if I select the same time range with Date & Time Range option, It says "no events found":
Why is this strange thing happening? Do we need to write something specific in search to take care of this.

Please suggest. Thanks in advance.

0 Karma

Esteemed Legend

First of all get rid of everything outside of the square brackets (including the square brackets). Do you have a "fieldest" portion of your XML form to set the $earliest$ and $latest$ tokens? If show, you need to included it (actually include all of your XML).

0 Karma