All Apps and Add-ons

Older logs not getting displyed in view

vaibhavagg2006
Communicator

Hi,
I have created a view which display list of username in a table.When user clicks on any user name, all the events for that user name are displayed in a new panel.I am using row drilldown to pass the parameter.But i am facing following issue:-
The events are coming fine for last 2-3 months.But it does not show the events older than 5-6 months.The no of results header is showing correct number as expected.
These events are also displayed in flashtimeline when used the same query.
Please help me with this.
Thanks for your time.

`

<module name=textfield>
<param name=name>search_filter</param>
<param name=template>$value$</param>
<module name=timerangepicker>
<module name=button>
<module name=Search>
<param name=search>index= xyz| table User</param>
<module name="SimpleResultHeader>
<module name="Pager">
<module name=SimpleResultsTable>
<param name="entityname>Results</param>
<param name=drilldown>Rows</param>
<param name=fields>User</param>
<module name=Search>
<param name=search>index= xyz |search user=$click.fields.User$</param>
<module name=SimpleResultsHeader>
<param name=events>
<module name=EventViewer>
</module>
</module>
</module>
</module>
</module>
</module>
        `

Please excuse syntax errors as i have not copy paste the code

Tags (1)
0 Karma

Ayn
Legend

Not strictly a solution to your problem, but it would be a REALLY good idea to rewrite your second search. Right now it retrieves ALL events from the xyz index, THEN a separate search takes these events and filters out the ones with the clicked user. A much better idea would be to put this search term in the same search as "index=xyz" instead.

0 Karma

Drainy
Champion

Could you paste some example XML. Just at a wild stab, it sounds to me like the drilldown may be inheriting a different time range to the one that you want it to use, without the search string or XML its hard to tell..

0 Karma

vaibhavagg2006
Communicator

thanks for ur time.added the xml to question

0 Karma

vaibhavagg2006
Communicator

No,the logs are fine.The result with the same query are getting displayed in default search.

0 Karma

Ayn
Legend

Did something happen with the format of the logs 5-6 months ago? Maybe fields aren't getting extracted correctly? Do you see fields properly if you check these logs in the default search view?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...