https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642836#M222644 <P>where is case-sensitive, search is not. Check the exact spelling and case of the sourcetype you are searching for.</P> Wed, 10 May 2023 13:26:44 GMT ITWhisperer 2023-05-10T13:26:44Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642831#M222643 <DIV class="">Has anyone been able to figure out how to search indexed XmlWinEventLog sourcetype sample logs in the Ingest Action GUI? The actual search being used uses the<SPAN>&nbsp;</SPAN>|where<SPAN>&nbsp;</SPAN>command which seems to be the issue.</DIV> <PRE>index=* OR index=_* sourcetype="XmlWinEventLog" | where sourcetype="XmlWinEventLog" | head 100</PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-05-10 at 9.02.53 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25324i8E49223105C23662/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2023-05-10 at 9.02.53 AM.png" alt="Screenshot 2023-05-10 at 9.02.53 AM.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-05-10 at 9.02.25 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25323iE290AD1932CDA429/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2023-05-10 at 9.02.25 AM.png" alt="Screenshot 2023-05-10 at 9.02.25 AM.png" /></span></P> <P>  </P> Thu, 11 May 2023 02:00:01 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642831#M222643 tjones130 2023-05-11T02:00:01Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642836#M222644 <P>where is case-sensitive, search is not. Check the exact spelling and case of the sourcetype you are searching for.</P> Wed, 10 May 2023 13:26:44 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642836#M222644 ITWhisperer 2023-05-10T13:26:44Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642844#M222646 <P>I have tried multiple variations of <SPAN>case-sensitivity, with no luck. The sourcetype that returns when running&nbsp;index=* sourcetype="XmlWinEventLog" is "XmlWinEventLog".&nbsp;</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2023-05-10 at 9.44.20 AM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/25327i153BAEF3A5071765/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2023-05-10 at 9.44.20 AM.png" alt="Screenshot 2023-05-10 at 9.44.20 AM.png" /></span></P><P> </P> Wed, 10 May 2023 13:46:15 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/642844#M222646 tjones130 2023-05-10T13:46:15Z https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/694357#M236186 <P>Hi there!<BR /><BR />This was published as a known issue first in 9.0.2:&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/9.0.2/ReleaseNotes/KnownIssues" target="_blank">https://docs.splunk.com/Documentation/Splunk/9.0.2/ReleaseNotes/KnownIssues</A></P><P>See the entry for&nbsp;SPL-235416.</P><P>The preview UI in Ingest Actions has since been fixed in:<BR />Splunk Enterprise version 9.0.5+<BR />Splunk Cloud Platform version 9.0.2303+</P><P>&nbsp;</P> Thu, 25 Jul 2024 21:47:50 GMT https://community.splunk.com/t5/Splunk-Search/Has-anyone-been-able-to-figure-out-how-to-search-indexed/m-p/694357#M236186 fjiang 2024-07-25T21:47:50Z