All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Older logs not getting displyed in view

vaibhavagg2006
Communicator
‎12-02-2012 09:41 PM

Hi,
I have created a view which display list of username in a table.When user clicks on any user name, all the events for that user name are displayed in a new panel.I am using row drilldown to pass the parameter.But i am facing following issue:-
The events are coming fine for last 2-3 months.But it does not show the events older than 5-6 months.The no of results header is showing correct number as expected.
These events are also displayed in flashtimeline when used the same query.
Please help me with this.
Thanks for your time.

`

<module name=textfield>
<param name=name>search_filter</param>
<param name=template>$value$</param>
<module name=timerangepicker>
<module name=button>
<module name=Search>
<param name=search>index= xyz| table User</param>
<module name="SimpleResultHeader>
<module name="Pager">
<module name=SimpleResultsTable>
<param name="entityname>Results</param>
<param name=drilldown>Rows</param>
<param name=fields>User</param>
<module name=Search>
<param name=search>index= xyz |search user=$click.fields.User$</param>
<module name=SimpleResultsHeader>
<param name=events>
<module name=EventViewer>
</module>
</module>
</module>
</module>
</module>
</module>
        `

Please excuse syntax errors as i have not copy paste the code

Tags (1)
0 Karma
Reply

Ayn
Legend
‎12-04-2012 03:46 AM

Not strictly a solution to your problem, but it would be a REALLY good idea to rewrite your second search. Right now it retrieves ALL events from the xyz index, THEN a separate search takes these events and filters out the ones with the clicked user. A much better idea would be to put this search term in the same search as "index=xyz" instead.

0 Karma
Reply

Drainy
Champion
‎12-04-2012 01:26 AM

Could you paste some example XML. Just at a wild stab, it sounds to me like the drilldown may be inheriting a different time range to the one that you want it to use, without the search string or XML its hard to tell..

0 Karma
Reply

vaibhavagg2006
Communicator
‎12-04-2012 03:23 AM

thanks for ur time.added the xml to question

0 Karma
Reply

vaibhavagg2006
Communicator
‎12-03-2012 07:52 PM

No,the logs are fine.The result with the same query are getting displayed in default search.

0 Karma
Reply

Ayn
Legend
‎12-03-2012 01:21 AM

Did something happen with the format of the logs 5-6 months ago? Maybe fields aren't getting extracted correctly? Do you see fields properly if you check these logs in the default search view?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...