Splunk Dev

Having problem searching by host or sourcetype or other fields. however, I am able to search events by index name

mintughosh
Path Finder

I am able to search for events by index name, however, I am not able to find the same events if searched by hosts or sourcetype or any other selected fields.

Tags (1)
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Try this:

go to settings / access controls / roles

Change the indexes searched by default to include where the data lives in the role you belong to.

mintughosh
Path Finder

Its. Fixed. I was able to solve this yesterday itself.

0 Karma

vsrigane
Explorer

@mintughosh Can you please share the steps or the tips on how you resolved it. As I am facing the same concern where, I do not get any event results when i run a SPL with host= . Not sure if this is something to do with roles. Thanks. @niketn  FYI

0 Karma

niketn
Legend

@mintughosh, if the issue was with access, can you please accept the answer. Or provide your own in case the fix was something else?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@mintughosh...So what you mean to say that , when you do not have index present in your base search you are not able to search events just based on sourcetype or host. Is that correct?

If this is so, it is linked with the way your Splunk User Role has been created. A default index can be set for your role so that index value is defaulted to the same when index is not specifically mentioned in the base search (through Indexes searched by default).

Ideally you should make sure that your base search always has at least index and sourcetype. If other key fields like host and source (index time field extractions) or search time field extractions can be included that would be even better, because these tell splunk where to search(index), what data type to search (sourcetype) and any other additional filters.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

When you search events by index in verbose mode, are you able to see sourcetype and host? Have you tried clicking on them and adding to the search by choosing Events with this field option from Selected Fields menu in the left side below the Search bar?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mintughosh
Path Finder

Yes, even when I try to search it on fast mode, I am able to view the selected fields like host, sourcetype, source and index and nothing on interesting fields. and when i add to search of a selected host or sourcetype, i am able to view the same events. But I try a separate search for the same host or source or any other field, I get no results.

When I search on verbose mode, I am able to see the interesting fields. But if i search for the same hosts that returns as result in verbose mode, I am still not able to view the results.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...