×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
pinggru
New Member
Member since: ‎08-09-2023
‎08-09-2023
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎08-09-2023
View All

How to Retrieve Matched Events in Splunk Without W...

by in Splunk Search
‎08-09-2023 01:50 PM
‎08-09-2023 01:50 PM
Hello Splunk Community, I'm encountering an issue with my search queries in Splunk that I hope someone can help me with. When I run a search, Splunk often indicates that a subset of events has matched (e.g., 2 of 10,000 events matched), but the "Events" panel only shows the count in brackets and does not display the actual results. The main concern here is that these long-running queries frequently fail, and no data is returned at all. This is particularly frustrating when I know that some events have already matched. What I'm looking for is a way to have Splunk return the matched events as they are found, without waiting for the entire search to be completed. In other words, if 2 events have matched, I'd like to see those 2 events immediately, even if the search is still ongoing. Is there a configuration or query modification that would allow this behavior? Any guidance or insights would be greatly appreciated. Thank you in advance for your assistance! I have also attached a screenshot for reference. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎08-09-2023 08:11 PM