Splunk Search

Why were some events removed by Timeliner when they were missing _time?

bsanjeeva
Explorer

Hi,

When I run a search against an index in smart/verbose mode, I am getting the below error with zero results,

"Some events were removed by Timeliner because they were missing _time"

However, when the same query is run in fast mode I am seeing results. Is there anything wrong with the time of the logs coming in? How should I fix this?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...