https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230300#M68266 <P>Check with your Splunk admin. It is possible to restrict access to specific sourcetypes</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_filter_format">http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_filter_format</A></P> Tue, 16 Aug 2016 23:45:20 GMT sundareshr 2016-08-16T23:45:20Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230296#M68262 <P>I'm facing an issue which I'm simply unable to understand</P> <P>I ran a search, simply by specifying the index I want to search in like this:</P> <PRE><CODE>index=my_index </CODE></PRE> <P>After this, I selected one of the values which were displayed in the top 10 for the sourcetype field, and added it to my search, so I had:</P> <PRE><CODE>index=my_index sourcetype=my:sourcetype </CODE></PRE> <P>And then, I got 0 results. I haven't changed the time picker or anything else, and I'm unable to understand why I'm not getting any results. Checking with the metadata command, I have thousands of events with this sourcetype in the index, and Splunk is displaying this sourcetype in the values of the field, but for some reason I can't run a search for it.</P> <P>Edit:</P> <P>When I'm not narrowing my search with that filer, I see the events with that particular sourcetype</P> <P>Edit2:</P> <P>Searching with:</P> <PRE><CODE>index=my_index sourcetype=* </CODE></PRE> <P>is not yielding any events with this problematic sourcetype.<BR /> The sourcetype itself if set by props.conf, could this cause any issues? </P> Tue, 16 Aug 2016 15:05:59 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230296#M68262 szabados 2016-08-16T15:05:59Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230297#M68263 <P>Maybe, add double quotes around source type.</P> <P>index=my_index sourcetype="my:sourcetype"</P> Tue, 16 Aug 2016 15:21:13 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230297#M68263 inventsekar 2016-08-16T15:21:13Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230298#M68264 <P>Yes, when I clicked the value from the list, it automatically added, it didn't work either</P> Tue, 16 Aug 2016 15:22:32 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230298#M68264 szabados 2016-08-16T15:22:32Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230299#M68265 <P>Simply when you search for </P> <PRE><CODE>sourcetype=my:sourcetype </CODE></PRE> <P>what it returns</P> Tue, 16 Aug 2016 15:35:56 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230299#M68265 inventsekar 2016-08-16T15:35:56Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230300#M68266 <P>Check with your Splunk admin. It is possible to restrict access to specific sourcetypes</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_filter_format">http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_filter_format</A></P> Tue, 16 Aug 2016 23:45:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-0-results-when-trying-to-filter-my-search-by/m-p/230300#M68266 sundareshr 2016-08-16T23:45:20Z