topic Re: Not able to search with some fields in Splunk Search

Not able to search with some fields

vishaltaneja070 — Thu, 27 Jun 2019 07:22:52 GMT

Hello All
I am not sure, why i am not able to use search like

host=*

but if i search like

index=* host=*

then it will work.

Not sure why. I need to use more fields to start searching but some are working some are not.

Re: Not able to search with some fields

niketn — Thu, 27 Jun 2019 08:27:30 GMT

@vishaltaneja07011993 You can use Access Control in Splunk to define some default index which can be search by your user role without defining the index= in the search query.

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Add_or_edit_a_role

Re: Not able to search with some fields

DavidHourani — Thu, 27 Jun 2019 08:59:38 GMT

Hi @vishaltaneja07011993,

This is because running host=* is the equivalent of running index="your user's role default searched indexes" host=* .

If your requirement is that index=* host=* and host=* give you the same results then you need to add all your indexes to the list of indexes searched by default for your role.

To do so you can change this under Settings » Access controls » Roles » Your Role » Default indexes

Let me know if that helps.

Cheers,
David

Re: Not able to search with some fields

vishaltaneja070 — Thu, 27 Jun 2019 10:31:50 GMT

Hello @DavidHourani

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

Re: Not able to search with some fields

vishaltaneja070 — Thu, 27 Jun 2019 10:32:04 GMT

Hello @niketnilay

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

Re: Not able to search with some fields

DavidHourani — Thu, 27 Jun 2019 10:36:43 GMT

In the role you have two configs : Indexes searched by defaultand Indexesare they both set to All non Internal indexes ?

Re: Not able to search with some fields

vishaltaneja070 — Thu, 27 Jun 2019 10:57:44 GMT

Hello @davidhourani

yes
For Indexes searched by default

it is having All Non Internal indexes
& for indexes search one has both All Non Internal Indexes & All Internal Indexes

Re: Not able to search with some fields

DavidHourani — Thu, 27 Jun 2019 11:45:35 GMT

you have the same when running a search with sourcetype=* instead of host=* ?

Re: Not able to search with some fields

niketn — Thu, 27 Jun 2019 13:26:34 GMT

@vishaltaneja07011993 I am not sure why that is not working. If proper access has been provisioned this should work out of the box. You should raise a Splunk Support case to have them look into configuration issue.

What are the indexes that show up when you run the following query?

| tstats count where index=* by index

Re: Not able to search with some fields

vishaltaneja070 — Thu, 27 Jun 2019 13:34:04 GMT

No with sourcetype=* it is working good.

Re: Not able to search with some fields

DavidHourani — Thu, 27 Jun 2019 13:41:10 GMT

could be a bug then... it's weird...long shot but try something like host="*" maybe it has something to do with the format..

Re: Not able to search with some fields

vishaltaneja070 — Fri, 28 Jun 2019 09:57:59 GMT

Nope . No luck

Re: Not able to search with some fields

vishaltaneja070 — Fri, 28 Jun 2019 09:58:45 GMT

It is giving mostly all the indexes