Re: Summary incorrect on search page

splunkranger · ‎03-28-2014

The 'Search' page, which lists the number of events, the oldest and latest event is not accurate.

Can anyone tell me where this information is being collected from?

marcoscala · ‎03-29-2014

First of all, you will see events just from your 'default' indexes, depending on the User's role, as someoni2 said.

Then, if you have strange dates as newest or late see bent, this means that there's a time stamp problem: so if you see events in the future, check for events in that time range and check of time stamp in the event is translated. The same if you have events older than they are supposed to be. It's a quite common problem, if Imunderstood right your question.

Happy Splunking,
Marco

splunkranger · ‎03-28-2014

This jives.

Thank you!

somesoni2 · ‎03-28-2014

My bad, its indexes the users searches by default. Thanks @Martin for correction

martin_mueller · ‎03-28-2014

Does it use indexes the user has access to or indexes the user searches by default?

somesoni2 · ‎03-28-2014

Yes, the search shows stats from the indexes to which user has access to.

splunkranger · ‎03-28-2014

This looks correct when I run it, can the results be effected by a users security role?

somesoni2 · ‎03-28-2014

| metadata type=sourcetypes | search totalCount>0 | rename totalCount as Count | stats sum(Count) as "INDEXED" min(firstTime) as "EARLIEST EVENT" max(lastTime) as "LATEST EVENT"

Summary incorrect on search page

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases