Archive

problem searching by host or sourcetype or other fields. however, I am able to search events by index name

Path Finder

I am able to search for events by index name, however, I am not able to find the same events if searched by hosts or sourcetype or any other selected fields.

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Try this:

go to settings / access controls / roles

Change the indexes searched by default to include where the data lives in the role you belong to.

Path Finder

Its. Fixed. I was able to solve this yesterday itself.

0 Karma

SplunkTrust
SplunkTrust

@mintughosh, if the issue was with access, can you please accept the answer. Or provide your own in case the fix was something else?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

@mintughosh...So what you mean to say that , when you do not have index present in your base search you are not able to search events just based on sourcetype or host. Is that correct?

If this is so, it is linked with the way your Splunk User Role has been created. A default index can be set for your role so that index value is defaulted to the same when index is not specifically mentioned in the base search (through Indexes searched by default).

Ideally you should make sure that your base search always has at least index and sourcetype. If other key fields like host and source (index time field extractions) or search time field extractions can be included that would be even better, because these tell splunk where to search(index), what data type to search (sourcetype) and any other additional filters.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

When you search events by index in verbose mode, are you able to see sourcetype and host? Have you tried clicking on them and adding to the search by choosing Events with this field option from Selected Fields menu in the left side below the Search bar?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Yes, even when I try to search it on fast mode, I am able to view the selected fields like host, sourcetype, source and index and nothing on interesting fields. and when i add to search of a selected host or sourcetype, i am able to view the same events. But I try a separate search for the same host or source or any other field, I get no results.

When I search on verbose mode, I am able to see the interesting fields. But if i search for the same hosts that returns as result in verbose mode, I am still not able to view the results.

0 Karma