- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Older logs not getting displyed in view
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Older logs not getting displyed in view
Hi,
I have created a view which display list of username in a table.When user clicks on any user name, all the events for that user name are displayed in a new panel.I am using row drilldown to pass the parameter.But i am facing following issue:-
The events are coming fine for last 2-3 months.But it does not show the events older than 5-6 months.The no of results header is showing correct number as expected.
These events are also displayed in flashtimeline when used the same query.
Please help me with this.
Thanks for your time.
`
<module name=textfield>
<param name=name>search_filter</param>
<param name=template>$value$</param>
<module name=timerangepicker>
<module name=button>
<module name=Search>
<param name=search>index= xyz| table User</param>
<module name="SimpleResultHeader>
<module name="Pager">
<module name=SimpleResultsTable>
<param name="entityname>Results</param>
<param name=drilldown>Rows</param>
<param name=fields>User</param>
<module name=Search>
<param name=search>index= xyz |search user=$click.fields.User$</param>
<module name=SimpleResultsHeader>
<param name=events>
<module name=EventViewer>
</module>
</module>
</module>
</module>
</module>
</module>
`
Please excuse syntax errors as i have not copy paste the code
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not strictly a solution to your problem, but it would be a REALLY good idea to rewrite your second search. Right now it retrieves ALL events from the xyz index, THEN a separate search takes these events and filters out the ones with the clicked user. A much better idea would be to put this search term in the same search as "index=xyz" instead.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you paste some example XML. Just at a wild stab, it sounds to me like the drilldown may be inheriting a different time range to the one that you want it to use, without the search string or XML its hard to tell..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for ur time.added the xml to question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No,the logs are fine.The result with the same query are getting displayed in default search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did something happen with the format of the logs 5-6 months ago? Maybe fields aren't getting extracted correctly? Do you see fields properly if you check these logs in the default search view?
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
