Splunk Search

Getting no events with Real Time searching vs getting events with Historical search. No new events appearing.

davidts
Path Finder

I have some Windows perfmon events being indexed every 60s. When I perform a 15min historical search I see all the events that I expect to see (15 events in total). However, If I perform a 15m Real Time search (rt-15m) I see the 15 past events as expected but I then do NOT see any new events that come in.

Every minute an event drops out of the results list as the 15m window slides to the current time, but no new events appear.

Splunk version: 5.0.2
Search: index=perfmon host= object=Processor counter="% Processor Time"

I am using the time picker to specify the search windows.

Tags (3)
1 Solution

Runals
Motivator

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

View solution in original post

0 Karma

davidts
Path Finder

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

0 Karma

Runals
Motivator

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

0 Karma

davidts
Path Finder

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...