Solved: Why does selecting a past date range not display r...

bagarwal · ‎10-24-2016

Hello ,

I have a search query where it runs successfully and is displaying result for last 7 days or last 30 days or last 4 hours.

It is giving me result if I choose date e.g. 17th Oct - 24th Oct (today's date). But if choose any other date between e.g. 17th Oct - 23rd Oct ; or 21st Oct - 23rd Oct (not today's date), it is displaying as "no results found".

My search to display top 10 users who consumed more bandwidth

index=<> host=<> | rename <> as "Users" | stats sum(totalBytes) as Bytes by Users | eval ConsumedGB = round(Bytes/(1024*1024*1024),2) |fields - Bytes | sort 10 -ConsumedGB

Also, if you can help edit the above query to be more optimized, please let me know, will be highly grateful.

Thanks in advance

Binay Agarwal

bagarwal · ‎10-25-2016

Hi somesoni2 and TStrauch,

Thanks for the response. I checked with the admin and figure out due to some reasons there were no logs in splunk prior to date and hence no events found .

Thank you once again for help. Was a good learning.

Regards,
Binay Agarwal

View solution in original post

bagarwal · ‎10-25-2016

Hi somesoni2 and TStrauch,

Thanks for the response. I checked with the admin and figure out due to some reasons there were no logs in splunk prior to date and hence no events found .

Thank you once again for help. Was a good learning.

Regards,
Binay Agarwal

somesoni2 · ‎10-24-2016

I would do a simple check to see for what all time range the data is available. May be by running query like this

index=<> host=<> | timechart span=1d count

Running this for last 7 days will give me for all days for which data was available. You can change span to 1h to see more granular views of the time range when data was available in that index/sourcetype/host.

TStrauch · ‎10-24-2016

Hey Binay,

are you sure that you have events in the specified timerange? By setting Last 7, Last 30, Last 4 hours etc.. you automatically get events from today.

It looks like there are simply no events.

Whats the first event displayed by setting last 7 days with the following search string?

index=<> host=<> | sort _time

bagarwal · ‎10-24-2016

Hi ,

Thanks for your response.

Specified timerange if I choose one of todays date then only I am getting the result. e.g.
If I choose date e.g. 17th Oct - 24th Oct(today's date) getting the result . But if choose any other date between e.g. 17th Oct - 23rd Oct(not today's date) ; or 21st Oct - 23rd Oct ( not today's date) it is displaying as no result found.

And I ran the query :
index=<> host=<> | sort _time

The first event displayed of todays date. And I just cross-checked. Only today's date result is displaying not for any other date ( same for the query I written)

Can you please help why it is so as I have written the query and where to correct. It will be really helpful.

Thanks & Regards,
Binay Agarwal

TStrauch · ‎10-24-2016

Your query i fine. The problem is that there are no events before today.

You specified index=<> host=<>. Probably the host was added to your splunk environment today? Or you create the index today?

The only thing i can tell you is... You have no data in your Splunk environment matchting the SPL-query.

index=<> host=<>

until today. 🙂

Why does selecting a past date range not display results?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms