Splunk Search

Search Fills FlashTimeLine with Events but No Events Display

rgcurry
Contributor

I have a user that reported he runs a search and the FlashTimeLine fills with over 5,000 events matching his search but the list of events does not display. I get the same results if I run the query but another user sees the events listed. Yesterday, a different user got results displayed; today he does not.

What would cause this to happen?

Tags (3)
0 Karma

rgcurry
Contributor

I never did get a definitive answer to this problem, but there were a couple of things in common to each occurrence of it -- IE was the browser in use. On a few occasions, a few reported seeing the data displayed but when they went back to show me, it did not. One of those did say they used FireFox when the data dispalyed. Here is some of the other factors related to this situation:

  • Although only 5,000 or so events were matched, each event had VERY MANY lines, into the thousands. So theoverall size of the result set was very large.
  • In each case, the user (including myself) had several open apps running and usually sveral tabs open in the browser. I am not certain if this was true for the FireFox user but when I tried this search using FireFox, it worked (mostly, see more below) but there was no other tabs open and only a couple of running apps on the computer I was using.
  • On one occasion, IE did display a page of data but froze when the user tried to go to the next page. Something similar happened to me when I tried this using FireFox but what was different was that the browswer did not freeze, it simply stopped showing data and only line numbers appeared on the page. (IE would show nothing in the results pane.)

What I think was happening was that with so much data to format and display that memory became an issue and the system could not cope with it all; a factor of both the browser and OS. This is a gut call for sure but I could not find anything else to explain it. The problematic search worked OK when we would limit the number of results to a few 100 or less. Fortuantely, that worked for the user needing this search as part of his application management plan.

BTW, this was with Splunk 4.2.1 so none of this is probably really relavent any more. I just noticed this still hanging out there as "open" and chose to follow-up and "close" the issue.

0 Karma

cramasta
Builder

What is the search you are running?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...