Splunk Search

Data not being displayed with previous working query.

siddharth1479
Path Finder

Hi Community,
I've been using Splunk enterprise search and reporting since a month now and now when I try to search with the same old query which worked previously, the results doesn't even shows up. All i get is "No results found. Try expanding the time range." but I'm using time range of last 30 days.

Can anyone please help me with this?

Thanks,
Sid

0 Karma
1 Solution

cmerriman
Super Champion

you have earliest hardcoded in your search bar and it's set to 15min. when you remove that and broaden your search to 30d, does that help at all?

have you checked that field extractions are working properly? you have User=*, but it could be that something happened that the field extractions are broken somewhere? try just the index=uam (I also noticed that in one comment you put iam and another you put uam, so just double check for any typos) for a broader range and see the last time data came through (you can also use the |tstats trick that @mydog8it suggests, but I might add |tstats max(_time) as max_time max(_indextime) as max_indextime where index=uam|convert ctime(max_time) ctime(max_indextime) in order to get the last time and indextime for that index) . If you see that data has come in within the last 15 minutes or so, shorten your time frame and do index=uam|fieldsummary to see what fields are being extracted.

View solution in original post

cmerriman
Super Champion

you have earliest hardcoded in your search bar and it's set to 15min. when you remove that and broaden your search to 30d, does that help at all?

have you checked that field extractions are working properly? you have User=*, but it could be that something happened that the field extractions are broken somewhere? try just the index=uam (I also noticed that in one comment you put iam and another you put uam, so just double check for any typos) for a broader range and see the last time data came through (you can also use the |tstats trick that @mydog8it suggests, but I might add |tstats max(_time) as max_time max(_indextime) as max_indextime where index=uam|convert ctime(max_time) ctime(max_indextime) in order to get the last time and indextime for that index) . If you see that data has come in within the last 15 minutes or so, shorten your time frame and do index=uam|fieldsummary to see what fields are being extracted.

siddharth1479
Path Finder

Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.

0 Karma

gfreitas
Builder

Would be beneficial posting a sample of the search you're using. This will usually happen in two cases:
1. No data is available (perhaps no new data was indexed since it last worked or even the retention of the data you're looking for already deleted the old data)
2. The field transformations you were using were changed and you cannot filter anymore the data (in this case I recommend you start cutting the search query you were using to make sure you're matching something, let's say for example you were using this search: index=abc sourcetype=abc event=filtered | start count by host, you can search for only index=abc that should give you an idea if you really have data there and the problem is not your query

0 Karma

siddharth1479
Path Finder

Hi,
Thanks for the reply, as you said to cut down the search to only index, i'm still now able to see any data. I'm pretty much sure that data is being indexed as i can see it on my server logs.


eg: index="iam" User="*" ----> Using this also wont show me any data


The query I'm using is this

index="uam" User="*" earliest=-15m latest=now| rename date_hour AS Hour date_mday AS Day date_minute AS Minute date_month AS Month date_second AS Second date_wday AS WeekDay date_year AS Year date_zone AS TimeZone | fields _time Year Month Day WeekDay Hour Minute Second TimeZone host User _raw | dedup _time


Thanks,
Sid

0 Karma

gfreitas
Builder

Try removing the hardcoded earliest=-15m latest=now as this overwrites the time you choose on the time picker

0 Karma

siddharth1479
Path Finder

Did the same, still not able to get results. Need to contact my Splunk admin with the issue. Thanks for the help.

0 Karma

mydog8it
Builder

Try running this to see what indexes are being populated:

  |tstats count where index=* by index

Use the past 24 hours in time picker.
This will show any index being written to in your environment. Verify that you see the index you desire to query in the results.

0 Karma

siddharth1479
Path Finder

Thanks for the reply, I tried using the command you gave and it doesn't show the desired index i want. Seems like problem with my permission and need to contact my Splunk admin. Thanks for helping me out.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...