https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185838#M37211 <P>I have set up a indexer which I also use as an Search Head. I dont have a deployment server so I manually pushed (copied) the apps to the servers to configure the forwarders. The forwarders work just fine and are recognized by the Indexer. And the props as well as input apps work well. And I am able to search for the index data using:</P> <P><STRONG>index="test_index" sourcetype=test_sourcetype</STRONG></P> <P>All fields defined in props and transform file, show up correctly. These fields also show correctly: host, source and sourcetype. I can see "sourcetype=test_sourcetype" in the events. But I am unable search events using:</P> <P><STRONG>sourcetype=test_sourcetype</STRONG></P> <P>Any help will be appreciated.</P> <P>Thanks</P> <P>Olavo</P> Mon, 28 Sep 2020 18:02:01 GMT olavo123 2020-09-28T18:02:01Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185838#M37211 <P>I have set up a indexer which I also use as an Search Head. I dont have a deployment server so I manually pushed (copied) the apps to the servers to configure the forwarders. The forwarders work just fine and are recognized by the Indexer. And the props as well as input apps work well. And I am able to search for the index data using:</P> <P><STRONG>index="test_index" sourcetype=test_sourcetype</STRONG></P> <P>All fields defined in props and transform file, show up correctly. These fields also show correctly: host, source and sourcetype. I can see "sourcetype=test_sourcetype" in the events. But I am unable search events using:</P> <P><STRONG>sourcetype=test_sourcetype</STRONG></P> <P>Any help will be appreciated.</P> <P>Thanks</P> <P>Olavo</P> Mon, 28 Sep 2020 18:02:01 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185838#M37211 olavo123 2020-09-28T18:02:01Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185839#M37212 <P>I forgot to add that : Both indexer and Forwarders are version 6.1.</P> <P>Thanks</P> <P>Olavo</P> Fri, 24 Oct 2014 15:26:59 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185839#M37212 olavo123 2014-10-24T15:26:59Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185840#M37213 <P>Also, I see that I cannot use the fields "host" to perform any searches. I have to use the index= " ", then only other options like "host" , etc become operational.</P> <P>-Olavo</P> Fri, 24 Oct 2014 15:57:49 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185840#M37213 olavo123 2014-10-24T15:57:49Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185841#M37214 <P>It was my understanding that by default, the user roles only allow searches against index=main. If you wanted to default into other indexes, you'd have to update your roles per app behavior.</P> Fri, 24 Oct 2014 17:51:14 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185841#M37214 jluste 2014-10-24T17:51:14Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185842#M37215 <P>If you wish to have custom indexes searched by default you must update your Role(s) to include that index as part of the "Indexes searched by default."</P> <OL> <LI>Settings</LI> <LI>Access controles</LI> <LI>Roles</LI> <LI>Select Role(s)</LI> <LI>Scroll down to "Indexes searched by default"</LI> <LI>Add test_index</LI> <LI>Click SAVE</LI> </OL> Fri, 24 Oct 2014 18:03:26 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185842#M37215 MartinMcNutt 2014-10-24T18:03:26Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185843#M37216 <P>Note, this is unrelated to the app but rather controlled by the user's role.</P> Fri, 24 Oct 2014 20:11:54 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185843#M37216 martin_mueller 2014-10-24T20:11:54Z https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185844#M37217 <P>Yes, that's it. But I thought that this could also be set per application. Do the user roles allow per app settings? (Not an admin)</P> Mon, 27 Oct 2014 19:07:42 GMT https://community.splunk.com/t5/Getting-Data-In/Unable-to-search-using-Sourcetype/m-p/185844#M37217 jluste 2014-10-27T19:07:42Z