×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
christopherwood
Explorer
Member since: ‎09-20-2013
‎06-05-2020
Community Statistics
Posts 4
Solutions 0
Karma Given 9
Karma Received 2
Member Since ‎09-20-2013
Activity Feed
View All

Re: "All time" works OK; "All time (realtime)" sho...

by in Splunk Search
‎10-22-2013 09:16 AM
‎10-22-2013 09:16 AM
If this search logic is indeed so, it's the reason for my concern - why are no search results showing, even with just a single wildcard search term? There's a steady stream of debug-level syslogs coming in and these can be seen in historical searches, I can't understand why nothing's showing realtime. ... View more

Re: "All time" works OK; "All time (realtime)" sho...

by in Splunk Search
‎10-22-2013 02:45 AM
‎10-22-2013 02:45 AM
And ta for the SoS app, that also looks very interesting and I'm now off to install. I'm mindful of how Splunk will scale and how we're going to need to structure a Splunk deployment as we build up the cluster (we're not yet fully decided on using just Splunk for aggregation and indexing, SoS looks like it'll be very useful.) ... View more

Re: "All time" works OK; "All time (realtime)" sho...

by in Splunk Search
‎10-22-2013 02:42 AM
‎10-22-2013 02:42 AM
At the moment it's one of a handful of VMs running on a fairly powerful setup (10GigE from backplanes, GigE virtual interfaces with an EMC VNX5500 backing it all up) so I'm confident I'm not taxing the storage I/O 🙂 Your power search looks useful, definitely bookmarking for future use. As expected, there's not much logging going on just at the moment (not a lot pointed to the IP): _internal is still hovering between 83 and 95 and the half-hourly _audit intervals are showing 1.49707 . As these are all KB I'm not overly concerned yet 😉 (And I've only been logging for a week...!) ... View more

"All time" works OK; "All time (realtime)" shows n...

by in Splunk Search
‎10-21-2013 07:38 AM
2 Karma
‎10-21-2013 07:38 AM
2 Karma
Whilst leaving a Splunk 6 search page open tailing incoming syslogs (with the default * search query), I realised it wasn't tailing in realtime. I investigated the timeframe options and noticed 'All time (realtime)'; I tried to select it but found no results displayed. What I did get was a progress spinner in the left-hand corner below the search box and an empty search results area! I left the page open for an hour or so and when I returned I could see a small "Invalid SID" error message below the search box (with no results). I've only been compiling syslogs from a dozen or so devices for approximately one week, and Splunk's running on a dedicated Linux VM with a huge amount of CPU and RAM - it surprised me that realtime result display doesn't work. The install is essentially OOTB default on 64-bit Ubuntu (from the .deb), aside from the addition of the Modular SNMP app (currently not functional). ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All
Karma given to