Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why won't Walklex timespan follow time specifications?

Derson
Engager
‎01-29-2023 12:06 AM

When I use walklex on my indexes, it doesn't appear to be following the time specifications very well. Does anybody know what is/might be happening here?

Command:
| walklex index=indexName type=field
| stats count by field

Examples for an index: 
Index 1:
* The buckets generally take about 6 hours to roll from hot to warm.
* When I select last 24 hours, I get results from above query like I would expect with a bit of overflow due to the bucket time span, but then there is a couple week gap with some events returned from several weeks prior.

Index 2:
* Some buckets have upwards of 2 years time span.
* When I run walklex over the last 7 days, I get results all the way back to 2017. When I look for the bucket ID and guId of the bucket containing the old results using dbinspect over a 14 day time range, I do not see that local ID combined with the guId. But when I look at all time I find the guId and local ID pair. But the bucket shows as being hot and last edited in January of 2020... which all of the other weird behavior set aside, walklex shouldn't be getting data from hot buckets unless the docs are wrong?

Labels (2)
Labels
Tags (2)
0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...