I have a list of services named Service1, Service2, Service3, Service4.
When I do a search as follows over past 60 mins, I am able to get results:
Search String:
service=Service*
Selected Field Results:
Values Count %
Service1 90 90
Service2 5 5
Service3 4 4
Service4 1 1
I am only interested in Service4 thus I do the following search expecting to see the logs for that 1 count.
Search String:
service=Service4
I get results as "No results found. Try expanding the time range."
Why am I not able to get the results for Service4 when there is a count?
Note the following please:
Are you searching over the same time period?
You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times
Try adding this to your query
earliest=-60m@m latest=now
Are you searching over the same time period?
You mentioned doing the last 60 minutes. If Service4 had a value at the end of that timespan, then you were to run that second search and it fell out of the 60 minute timespan then it would show zero. You could test this by setting relative times
Try adding this to your query
earliest=-60m@m latest=now
Able to capture it with this added to query. Thank you. Would you like to add this as an answer?
Great to hear!
I've converted this to an answer. Please accept/upvote
is there extra whitespace you're not accounting for when you use a literal instead of a wildcard?
I second that. If not all, there may be few events which may have trailing spaces at the end of the field. Try running your service2 and service4 searches with a wildcard at the end. If it returns result as expected, you've a trailing space.
service=Service4*
Tried as suggested but same outcome.