Cannot search using sourcetype but can search with index

KarunK — Mon, 28 Sep 2020 10:04:11 GMT

Hi,

I have an app in my server, which is monitoring a directory (D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90) for a set of logs.
eg: mms_export_e_wms_90_10.152.59.75_20111107_185001_47217

When i search using the idex i can see the results. But not with sourcetype.
Can i get some advise ?

Thanks

index="mms_export_e_wms_90" - works fine
index="mms_export_e_wms_90" sourcetype="mms_export_e_wms_90" - Also works fine

But - sourcetype="mms_export_e_wms_90" - gives me no results

My config files are as below.

input.conf

[monitor://D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90]
disabled = false
crcSalt =
followTail = 0
host =
host_regex = (?i)[^\s]+mms_export_e_wms_90_(\d+.\d+.\d+.\d+)_\d+
index = mms_export_e_wms_90
sourcetype = mms_export_e_wms_90

props.conf

[mms_export_e_wms_90]
pulldown_type = true
KV_MODE=none
TRANSFORMS-comment = hash_comment
SHOULD_LINEMERGE=false
TZ=UTC
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s
TIME_FORMAT=%Y-%m-%d %T
REPORT-fields = mms_export_e_wms_90_fields
EXTRACT-uri_schema = (?i)^(?:[^\s]* ){47}((?[^:/?#]+):)?(//(?[^/?#]))?(?[^?#|\s])(\?(?[^#|^\s]))?(#(?.[^\s]))?

transforms.conf

[hash_comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[mms_export_e_wms_90_fields]
DELIMS = " "
FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"

Re: Cannot search using sourcetype but can search with index

araitz — Tue, 08 Nov 2011 02:32:43 GMT

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

Re: Cannot search using sourcetype but can search with index

KarunK — Tue, 08 Nov 2011 02:51:12 GMT

Perfect!!!!!
It worked.
Thanks. Appreciate that.

Re: Cannot search using sourcetype but can search with index

araitz — Tue, 08 Nov 2011 02:56:24 GMT

Sure thing. Be sure to vote up my answer 🙂

Re: Cannot search using sourcetype but can search with index

kurtus — Thu, 17 May 2012 22:17:46 GMT

This also worked for me. Thanks!

topic Re: Cannot search using sourcetype but can search with index in Splunk Search

Cannot search using sourcetype but can search with index

Re: Cannot search using sourcetype but can search with index

Re: Cannot search using sourcetype but can search with index

Re: Cannot search using sourcetype but can search with index

Re: Cannot search using sourcetype but can search with index