https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334429#M99395 <P>Hi everybody.</P> <P>After migrating splunk from one node to another I started having problems with eventtypes and subsearch.<BR /> We have migrated everything. From apps to users. With the related authorizations.</P> <P>Now when I run a search with a simple eventtype (Eventtype "example" ---&gt; index = linux sourcetype = suse) the search does not return any results. If you manually specify the index before the eventtype then the search works and returns results (index=linux eventtype="example"). <BR /> It seems like it's a problem of access to the indexes. As specifying it the eventtype works. If he has to access it only through the eventtype he can not.</P> <P>I checked the various permissions and executed the eventtype from the app search. Nothing.</P> <P>if I add this index at the "Indices included by default in the search" the eventtype works.</P> <P>I also noticed that subsearch does not work. The subsearch does not work in a dashboard moved from the old node to the new one. But if I run it like simple search it works perfectly. The search is correct because the on the old node works. Even here it seems a problem of authorizations. I checked them and it looks like everything it's ok.</P> <P>I think something happened during the migration. Although everything has been recreated in the same way.</P> <P>Splunk now is at 7.0.0. </P> <P>Thank you.</P> <P>EDIT: </P> <P>I noticed that if instead of using an index created by the Master Node (Indexers are clustered) I use an index created locally on one of the two nodes eventtypes work properly. <BR /> They can not operate only on the indices created by the Master Node.</P> Tue, 12 Dec 2017 10:03:22 GMT danyx32 2017-12-12T10:03:22Z https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334429#M99395 <P>Hi everybody.</P> <P>After migrating splunk from one node to another I started having problems with eventtypes and subsearch.<BR /> We have migrated everything. From apps to users. With the related authorizations.</P> <P>Now when I run a search with a simple eventtype (Eventtype "example" ---&gt; index = linux sourcetype = suse) the search does not return any results. If you manually specify the index before the eventtype then the search works and returns results (index=linux eventtype="example"). <BR /> It seems like it's a problem of access to the indexes. As specifying it the eventtype works. If he has to access it only through the eventtype he can not.</P> <P>I checked the various permissions and executed the eventtype from the app search. Nothing.</P> <P>if I add this index at the "Indices included by default in the search" the eventtype works.</P> <P>I also noticed that subsearch does not work. The subsearch does not work in a dashboard moved from the old node to the new one. But if I run it like simple search it works perfectly. The search is correct because the on the old node works. Even here it seems a problem of authorizations. I checked them and it looks like everything it's ok.</P> <P>I think something happened during the migration. Although everything has been recreated in the same way.</P> <P>Splunk now is at 7.0.0. </P> <P>Thank you.</P> <P>EDIT: </P> <P>I noticed that if instead of using an index created by the Master Node (Indexers are clustered) I use an index created locally on one of the two nodes eventtypes work properly. <BR /> They can not operate only on the indices created by the Master Node.</P> Tue, 12 Dec 2017 10:03:22 GMT https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334429#M99395 danyx32 2017-12-12T10:03:22Z https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334430#M99396 <P>It sounds like you aren't searching all indexes by default. Check your roles configuration(s) to see which indexes will be searched by default.</P> <P>Settings -&gt; Access Controls -&gt; Roles -&gt; (select role) -&gt; Indexes searched by default</P> <P>You will need indexes.conf on the search head to be able to select the indexes. It needs to match that of the cluster master.</P> Tue, 12 Dec 2017 15:08:03 GMT https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334430#M99396 micahkemp 2017-12-12T15:08:03Z https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334431#M99397 <P>Hi <BR /> the problem is that an architecture with two clustered indexers used each one both as Indexer and as Search Head doesn'r run on 7.0.0!<BR /> In other words executing a search with subsearches on a clustered indexer it doesn't work, there must be a Search Head!</P> <P>I have this architecture on 6.4.2 and it's still running, instead on 7.0.0. probably is changed somebody in search execution so subsearches don't run if I execute this search on the Indexer.</P> <P>Bye.<BR /> Giuseppe</P> Tue, 19 Dec 2017 16:30:23 GMT https://community.splunk.com/t5/Splunk-Search/Eventtype-and-Subsearch-problem-after-migration/m-p/334431#M99397 gcusello 2017-12-19T16:30:23Z