Splunk Search

Why am I getting "No results found." for any search, even if the events counter increases?

mabdelfattah
New Member

Hello,

I'm getting "No results found." whenever I search for any term in splunk.

I have 29,123,099 Events INDEXED and I was searching normally before today.

No matter what I search for, I always get no results found.

Can anyone please point me in the direction where to check ?

Thank you

Tags (2)
0 Karma

sloshburch
Splunk Employee
Splunk Employee

Check Settings -> Indexes to make sure there's events in the indexes. If you then can't see anything if you search that particular index, then post a screenshot of your user's role definition. Also check index=_internal log_level=ERROR to see if there's a problem. Lastly, since this is a local play environment, it might be easiest to just uninstall/reinstall Splunk and re-add the data thereby starting clean.

0 Karma

mabdelfattah
New Member

Events are added to the main index and I can see them accumulating normally.

When I tried to see my user's role definition, I couldn't because this is the free version and user roles are not allowed.

Checking index=_internal log_level=ERROR, I found some errors:

2016-08-31 15:39:05,871 ERROR   [57c6ddf9ba19e01f4ee80] admin:1775 - [HTTP 402] Current license does not allow the requested action
Traceback (most recent call last):
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\admin.py", line 1745, in listEntities
    entities = en.getEntities(endpoint_path, **args)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 129, in getEntities
    atomFeed = _getEntitiesAtomFeed(entityPath, namespace, owner, search, count, offset, sort_key, sort_dir, sessionKey, uri, hostPath, **kwargs)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 222, in _getEntitiesAtomFeed
    serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 513, in simpleRequest
    raise splunk.LicenseRestriction
LicenseRestriction: [HTTP 402] Current license does not allow the requested action

================================================================================================================

2016-08-30 15:50:00,313 ERROR   [57c58f084c19e01492278] config:132 - [HTTP 401] Client is not authenticated
Traceback (most recent call last):
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\config.py", line 130, in getServerZoneInfo
    return times.getServerZoneinfo()
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\times.py", line 158, in getServerZoneinfo
    serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz')
  File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 510, in simpleRequest
    raise splunk.AuthenticationFailed
AuthenticationFailed: [HTTP 401] Client is not authenticated

host = 677878-db1 source = C:\Program Files\Splunk\var\log\splunk\web_service.log sourcetype = splunk_web_service

================================================================================================================

2016-08-30 15:38:12,792 ERROR   [57c58c44c9bbef1fc7f0] utility:49 - name=javascript, class=Splunk.Error, lineNumber=586, message=Uncaught TypeError: e.defaultDrilldown is not a function, fileName=http://192.168.100.12:8000/en-US/static/@debde650d26e/js/licenseusage.js

================================================================================================================

Thank you

0 Karma

mabdelfattah
New Member

I also have this warning in the license manager:

Severity    Time    Message Indexer Pool    Stack   Category
Correct by midnight to avoid violation Learn more   This pool contains 1 slave/s in violation       auto_generated_pool_free    free    pool_violated_slave_count
0 Karma

sloshburch
Splunk Employee
Splunk Employee

What did you see on Settings -> Licensing -> Usage Report? Screen shot maybe?

Also, did you switch to the Free License or did the license just expire? Make sure you've done this: http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/MoreaboutSplunkFree#How_do_I_switch_to_Splun...

0 Karma

mabdelfattah
New Member

Hello SloshBurch,

The license expired, then I switched to the free account as per the instructions you sent. This was 6 days ago.

A screenshot of the license usage:

alt text

As for the warnings:

alt text

I can't clear these warning as there is no more details for them. The warning are:

alt text

alt text

alt text

Thank you so much for your help

0 Karma

wpreston
Motivator

The free version of Splunk has an indexing limit of 500 Mb per day. Did you perhaps index more than that after the trial license expired? If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.

See this document about licensing for more information if you think this is what happened.

0 Karma

mabdelfattah
New Member

I will check this scenario. However, in the most busy day, I got 40 Mb of data . However, I can see other warnings in the license usage report.

Thank you for pointing me in the right direction. I will check I get back to you with the results.

0 Karma

jdonn_splunk
Splunk Employee
Splunk Employee

This can also be expected behavior from your search for instance, this returns 0 of ~500,000 events:

index=*   | where linecount > 1 | rex field=_raw "(?m)(?P^.*ESTABLISHED.*$)" | search footer

If you are still troubleshooting, just start with "index=* startminutesago=5" to see what you have access to.

0 Karma

mabdelfattah
New Member

index=* startminutesago=5 did not return anything.

I have also tried index=* and did not get any thing.

The steps I used now to check the data are:

Step one: I open Splunk and I get this:

alt text

Then I click on "Data Summary" and I get:

alt text

When I click on the "192.168.100.1" host that contains all the events, I get this:

alt text

One last thing to note, I was using Splunk trial and then the trial period expired. I then switched to Splunk free.

I'm not using distributed deployment. It is just installed on one server.

Thank you for your help.

0 Karma

mabdelfattah
New Member

Another thing:

When I click on the Job button below the search box, I get:

Peer 421798-db1's search ended prematurely. Attempting to reconnect and resume.

(421798-db1) is the server name.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Maybe add index=* to that search to see if the data for that IP still exists. If still nothing than remove the host part and just search index=*. If that still fails then check that your role still has access to search all indexes within the role definition menu in settings.

0 Karma

mabdelfattah
New Member

I have tried all of what you have mentioned. unfortunately, still not working. I'm checking now the licensing report.

Thank you for your help.

0 Karma

micahkemp
Champion

Are you searching the correct index? Which index is your data in, and what is defined as your default search index?

0 Karma

mabdelfattah
New Member

I have not changed the index. Can you please let me know how to change the index ?

0 Karma

sundareshr
Legend

Change time to All Time.

0 Karma

mabdelfattah
New Member

Time is already set to All time

0 Karma

inventsekar
Ultra Champion

maybe, user access issue. are you having splunk admin access? can you check your user role and capabilities?

0 Karma

mabdelfattah
New Member

I'm using Admin account. I used to use this account before in my search

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...