Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

events not showing

sulaimancds
Engager
‎04-25-2023 07:09 PM

| tstats summariesonly=true max(_time) as lastTime, count FROM datamodel=Change BY "All_Changes.action", "All_Changes.result_id", "All_Changes.user", "All_Changes.dest" | rename "All_Changes.*" as * | search result_id = 4732 | convert ctime(lastTime) as lastTime

 

i am running this command , there is output , but i want to see events and know more details , but events not showing

 

total number of events Complete 590,046 events

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-25-2023 10:52 PM

@sulaimancds - tstats command does not search events, as it is built for performance and not for showing events. Use datamodel command instead or a regular search.

| datamodel Change All_Changes search strict_fields=false

 

Kindly upvote if you find this answer useful!!!

0 Karma
Reply

sulaimancds
Engager
‎04-25-2023 11:25 PM

hi please provide me the full command

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-26-2023 01:07 AM

@sulaimancds  - Try this as a full search and run it in "Verbose mode".

| datamodel Change All_Changes search strict_fields=false | search "All_Changes.result_id"=4732
  •  This will show the events as you asked.

 

But if you need events as well as the results then do a regular search in "Verbose mode".

index=* tag=change | stats max(_time) as lastTime, count BY action, result_id, user, dest
| search result_id = 4732 
| convert ctime(lastTime) as lastTime

 

Kindly accept the answer and upvote if this helps you!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...