Pinpoint a problem using time
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Pinpoint a problem using time
Once you have found the exact time of a problem, you can change your search to look at all the events that happened immediately beforehand to locate your error.
1. To investigate this event further, click the time at the left of the event. The time picker automatically changes to Custom and Splunk restricts the search to the minute in which the event occurred. This is one of many ways you can use the UI to change the contents of your search. See Search interactively with Splunk Web in the User manual for more tips.
2. Now expand your search to include all events that happened in that minute, not just events with the user's account number. Go to the search bar, delete the ID string, and press Enter to run the search index=test on this restricted time frame.
3. Scroll through the results for this time frame. If you need to expand or contract the time range, click Zoom out or Zoom in above the timeline. In this case, you can see a whole slew of database errors. Looks like the database ran out of space (again).
Note that you found the root cause directly, using just the accountNumber. You don't need fields or keys or any database structure here to get something that is useful right out of the box.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.