The following Search command:
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) )
results to only 1000 events. A bang displays the following message:
"Currently displaying the most recent 1000 events in the selected range. Select a narrower range or zoom in to see more events"
Objective: to see all events in the last 24 hours .
Thanks
UA
I think that this search code will help
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h
At the end of your search add this:
| table *
This will cause splunk to return "results" instead of "events", and the restriction will be removed.
You can use a more specific table, or any aggregating command to get the same result.,This has to do with the difference between "events" and "results." For performance, splunk will only pull the first 1000 events back to the SH, but this restriction does not apply to results.
Thank you. This post helped me solve a long overdue problem. Points awarded!
and you're seeing the result in Events tab or Visualization tab? What do you want to do with the data returned?
in the Events tab. I normally would like to see all errors for the last 24 hours. I browse through these to see if anything critical has occurred.
What was the time range selected in the timerange picker. Meanwhile, try this
error OR failed OR severe OR ( sourcetype=access_* ( 404 OR 500 OR 503 ) ) earliest=-24h@h
The time range was past 24 hours
Same error was observed. I am sure there might be a limit set up in one of the config files.