topic Contradiction of search result ? in Splunk Search

Contradiction of search result ?

sunrise — Sun, 31 Mar 2013 04:29:21 GMT

I found the search contradiction between "index=* host=splkc" and "host=splkc".
Though the former search find some results, the later is not.
Why ?

Following environment.
Splunk version : 5.02
Operating System : Windows Server 2008 R2 64bit
Data : WMI Polling Data

Re: Contradiction of search result ?

sideview — Sun, 31 Mar 2013 05:49:18 GMT

If there is no index term in your search, then Splunk will search the indexes that are listed as the default indexes for your role. You can see this list by going to Manager > Authentication > Roles.

Since by default users just have index="main" in that list, then what's happening in the first screenshot is it's only searching index="main", and there are no events from that host there.

In the second screenshot you've searched for index="*". this tells splunkd that you'd like to search all of the indexes that you have permission to search, and in an index called "wmi_performancelog", there are some events from that host.

It's a little confusing that the absence of an index term is actually a more restrictive search than index=*, but that's what's happening here.

Re: Contradiction of search result ?

sunrise — Sun, 31 Mar 2013 10:27:20 GMT

Thank you sideview for quick response and explanation.