Hello emiller,
I'm very puzzled,
I've installed my own splunk (version 6.2.2) on debian in the meantime and loaded the tutorial data into it according to the instruction in the tutorrial. But when I click on "Start to search", the reuslt is an orange triangle with ! in it and the messages "unknown sid" and "The search job XXX was canceled remotely or expired."
Searching for these messages on the web didn't yield any usable results. Also, hitting the "Data summary" button results in no data summary being displayed and a "waiting for results...".
So I returned to the sandbox to see for my former count problem there again. And ... mysterioulsy .. it was gone. I pasted the very same command "index=tutdata sourcetype="access*" host="www*" | timechart count by host" into the search field, and today it produced the correct values in the count column.
I didn't produce any screen shots last week, so I have no proof of the wrong results I wrote about.
Regards
Peter
... View more