Solved: Getting no events with Real Time searching vs gett...

davidts · ‎04-16-2013

I have some Windows perfmon events being indexed every 60s. When I perform a 15min historical search I see all the events that I expect to see (15 events in total). However, If I perform a 15m Real Time search (rt-15m) I see the 15 past events as expected but I then do NOT see any new events that come in.

Every minute an event drops out of the results list as the 15m window slides to the current time, but no new events appear.

Splunk version: 5.0.2
Search: index=perfmon host= object=Processor counter="% Processor Time"

I am using the time picker to specify the search windows.

Runals · ‎04-16-2013

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

View solution in original post

davidts · ‎04-16-2013

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

Runals · ‎04-16-2013

Maybe I'm just projecting some of my current issues but have you checked if there are timezone issues with your data?

index=yourIndex earliest=+1m latest=+1d

davidts · ‎04-16-2013

Update: I thought that this may be the case as well, but I have checked the TZ on the search head and index, and also the user and they are all the same.

Getting no events with Real Time searching vs getting events with Historical search. No new events appearing.

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?