Re: With tstats command I can see the results in s...

babukumarreddy · ‎10-20-2022

Hi

For example

Using below query i can see when we received the last log to splunk, based on that if I search for events it's not showing

Using below spl i can see when we we received latest events with below combination with 30 days timerange

|Tstats latest(_time) as _time where index=abc sourcetype="Cisco devises" host=1234 by index source sourcetype host.

But if I search same spl for seeing events not showing the results --same timerange

index=abc sourcetype="Cisco devises" host=1234

jdunlea · ‎10-20-2022

When you expand the time range for your regular (non-tstats) search, do you get any results? Like over a 24 hour or 7 day time range?

babukumarreddy · ‎10-20-2022

@jdunlea with normal search i can't see any results after increasing the time range also.

jdunlea · ‎10-21-2022

Were you ever seeing data in this index for any time range, using a normal search?

I am wondering if you are encountering an access problem for the specific index, and that the tstats search is returning something as a result of a bug.

jdunlea · ‎10-20-2022

Is the value for latest(_time) returning a time that is within your time range?

babukumarreddy · ‎10-20-2022

@jdunlea Yes

With tstats command I can see the results in splunk, but with normal search I'm unable to see the results in Splunk?

tstats

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

With tstats command I can see the results in splunk, but with normal search I'm unable to see the results in Splunk?

tstats

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!