https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709313#M239720 <P>Hi,&nbsp;</P><P>We recently migrated from a standalone Search Head to a clustered one. However, we are having some issue running some search commands. For example, this is a query that is not working on the new SH cluster</P><P>sourcetype=dataA index=deptA | where critC &gt; 25</P><P>&nbsp;</P><P>On the old search head, this query runs fine and we see the results as expected. But on the SH cluster, this doesn't yield anything.&nbsp;</P><P>I have run the "sourcetype=dataA index=deptA" search query by itself, and they both see the same events. I am not sure why the search with (| where citC &gt; 25) on the standalone SH would work and the cluster would not. Any help would be appreciated.</P><P>Thank you</P><P>&nbsp;</P> Tue, 21 Jan 2025 14:03:19 GMT josephp 2025-01-21T14:03:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709313#M239720 <P>Hi,&nbsp;</P><P>We recently migrated from a standalone Search Head to a clustered one. However, we are having some issue running some search commands. For example, this is a query that is not working on the new SH cluster</P><P>sourcetype=dataA index=deptA | where critC &gt; 25</P><P>&nbsp;</P><P>On the old search head, this query runs fine and we see the results as expected. But on the SH cluster, this doesn't yield anything.&nbsp;</P><P>I have run the "sourcetype=dataA index=deptA" search query by itself, and they both see the same events. I am not sure why the search with (| where citC &gt; 25) on the standalone SH would work and the cluster would not. Any help would be appreciated.</P><P>Thank you</P><P>&nbsp;</P> Tue, 21 Jan 2025 14:03:19 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709313#M239720 josephp 2025-01-21T14:03:19Z https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709314#M239721 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275149">@josephp</a>&nbsp;,</P><P>did you defined on the Search Head the field extraction for&nbsp;<SPAN>critC&nbsp;field?</SPAN></P><P><SPAN>if yes, the grants for this field are App or Global?</SPAN></P><P><SPAN>if App, are you in the same App?</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Tue, 21 Jan 2025 14:06:39 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709314#M239721 gcusello 2025-01-21T14:06:39Z https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709315#M239722 <P>Hi Giuseppe,</P><P>May I have a pointer to splunk document for this "<SPAN>if yes, the grants for this field are App or Global?"?</SPAN></P><P>Thank you,</P> Tue, 21 Jan 2025 14:17:16 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709315#M239722 josephp 2025-01-21T14:17:16Z https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709333#M239727 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/275149">@josephp</a>&nbsp;,</P><P>the point is that if you share the field extraction at App level, outside this app you cannot see the field.</P><P>So repeat your search in the App where you extracted the field and see if you have results.</P><P>If you need to run the search outside the app where the extraction is defined, share the field extraction at Global level.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 Jan 2025 15:40:41 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-searches-does-not-return-expected-values-even-though-the/m-p/709333#M239727 gcusello 2025-01-21T15:40:41Z