Splunk Search

Search shows no results but there is 1 count

angersleek
Path Finder

I have a list of services named Service1, Service2, Service3, Service4.

When I do a search as follows over past 60 mins, I am able to get results:

Search String:
service=Service* 

Selected Field Results: 
Values       Count         %
Service1     90            90
Service2     5              5
Service3     4              4
Service4     1              1

I am only interested in Service4 thus I do the following search expecting to see the logs for that 1 count.

Search String:
service=Service4

I get results as "No results found. Try expanding the time range."

Why am I not able to get the results for Service4 when there is a count?

Note the following please:

  1. Issue is not with the search String. If I do an extended search over 24 hours, I am able to get results when the count is 100+.
  2. Issues is likely not with the low count either. I am able to get results when I do a search for Service3 which has a lower count than Service2. But Service 2 returns the same error "No results found. Try expanding the time range."
0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

View solution in original post

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Are you searching over the same time period?

You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times

Try adding this to your query

earliest=-60m@m latest=now

0 Karma

angersleek
Path Finder

Able to capture it with this added to query. Thank you. Would you like to add this as an answer?

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Great to hear!

I've converted this to an answer. Please accept/upvote

0 Karma

kmaron
Motivator

is there extra whitespace you're not accounting for when you use a literal instead of a wildcard?

somesoni2
SplunkTrust
SplunkTrust

I second that. If not all, there may be few events which may have trailing spaces at the end of the field. Try running your service2 and service4 searches with a wildcard at the end. If it returns result as expected, you've a trailing space.

service=Service4*
0 Karma

angersleek
Path Finder

Tried as suggested but same outcome.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...