Re: Unable to search using Sourcetype

olavo123 · ‎10-24-2014

I have set up a indexer which I also use as an Search Head. I dont have a deployment server so I manually pushed (copied) the apps to the servers to configure the forwarders. The forwarders work just fine and are recognized by the Indexer. And the props as well as input apps work well. And I am able to search for the index data using:

index="test_index" sourcetype=test_sourcetype

All fields defined in props and transform file, show up correctly. These fields also show correctly: host, source and sourcetype. I can see "sourcetype=test_sourcetype" in the events. But I am unable search events using:

sourcetype=test_sourcetype

Any help will be appreciated.

Thanks

Olavo

MartinMcNutt · ‎10-24-2014

If you wish to have custom indexes searched by default you must update your Role(s) to include that index as part of the "Indexes searched by default."

Settings
Access controles
Roles
Select Role(s)
Scroll down to "Indexes searched by default"
Add test_index
Click SAVE

jluste · ‎10-24-2014

It was my understanding that by default, the user roles only allow searches against index=main. If you wanted to default into other indexes, you'd have to update your roles per app behavior.

martin_mueller · ‎10-24-2014

Note, this is unrelated to the app but rather controlled by the user's role.

jluste · ‎10-27-2014

Yes, that's it. But I thought that this could also be set per application. Do the user roles allow per app settings? (Not an admin)

olavo123 · ‎10-24-2014

Also, I see that I cannot use the fields "host" to perform any searches. I have to use the index= " ", then only other options like "host" , etc become operational.

-Olavo

olavo123 · ‎10-24-2014

I forgot to add that : Both indexer and Forwarders are version 6.1.

Thanks

Olavo

Unable to search using Sourcetype

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms