Re: Alltime-Realtime Able to See Data - Zero Data ...

bitofrumncoke · ‎05-26-2021

Strangest thing. I have some Infoblox logs coming in from a Syslog-NG server where we have a UF installed. UF is successfully sending the Infoblox logs to Splunk BUT, I can only see those logs when doing an alltime-realtime search but can't see them anywhere when doing a historical alltime search even when logged in as admin. I can search other logs in the same index but just comes back with "0 events" and no errors in the job - just nothing. Can't find them via sourcetype, source or host.

Any ideas? I know the data is there but just can't see it on historical searches.

bitofrumncoke · ‎05-26-2021

Thanks for the response! Logs are in UTC time it seems so a bit in the future but all time should show data anyway. Still, ran another search for 1 year in the future and 1 year in the past at the same time - still zero data returned with no errors.

Yorokobi · ‎05-26-2021

Is the date/time in those syslog events far into the future or past? If they're in the future, you can try searching with earliest=now latest=+5y (for example). If they're too far into the past, Splunk is probably dropping them. Both of these scenarios are logged in the indexers' _internal index.

Alltime-Realtime Able to See Data - Zero Data for Historical Searches

other

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...