I am trying to perform a very basic search to bring back results but the search appears to never finish when I queue it up for a specific index and sourcetype in either Smart Mode or Verbose Mode. What is puzzling is the results are only 601 events which is not much at all. I have checked other sourcetypes in the same index and they appear to be working with no issue when running them in Smart Mode and Verbose Mode.
This search will not finish in either Smart Mode or Verbose Mode Last 15 minutes:
This search will finish in Fast Mode Last 15 minutes: Results 601 events.
I did pull over the same Bro app that has all of our parsing inside the app from another one of our Splunk instances. I commented out all of the entries in our transforms.conf file in the Bro app on one of our indexers and tried to search the field bro_smtp in verbose mode and what do you know! It works! I guess now I just need to go back through and figure out which one broke that sourcetype. Thanks!