I am able to search for events by index name, however, I am not able to find the same events if searched by hosts or sourcetype or any other selected fields.
Try this:
go to settings / access controls / roles
Change the indexes searched by default to include where the data lives in the role you belong to.
Its. Fixed. I was able to solve this yesterday itself.
@mintughosh Can you please share the steps or the tips on how you resolved it. As I am facing the same concern where, I do not get any event results when i run a SPL with host= . Not sure if this is something to do with roles. Thanks. @niketn FYI
@mintughosh, if the issue was with access, can you please accept the answer. Or provide your own in case the fix was something else?
@mintughosh...So what you mean to say that , when you do not have index present in your base search you are not able to search events just based on sourcetype or host. Is that correct?
If this is so, it is linked with the way your Splunk User Role has been created. A default index can be set for your role so that index value is defaulted to the same when index is not specifically mentioned in the base search (through Indexes searched by default).
Ideally you should make sure that your base search always has at least index and sourcetype. If other key fields like host and source (index time field extractions) or search time field extractions can be included that would be even better, because these tell splunk where to search(index), what data type to search (sourcetype) and any other additional filters.
When you search events by index in verbose mode, are you able to see sourcetype and host? Have you tried clicking on them and adding to the search by choosing Events with this field option from Selected Fields menu in the left side below the Search bar?
Yes, even when I try to search it on fast mode, I am able to view the selected fields like host, sourcetype, source and index and nothing on interesting fields. and when i add to search of a selected host or sourcetype, i am able to view the same events. But I try a separate search for the same host or source or any other field, I get no results.
When I search on verbose mode, I am able to see the interesting fields. But if i search for the same hosts that returns as result in verbose mode, I am still not able to view the results.