Solved: Why does my sourcetype= search return no results, ...

craigkleen · ‎10-14-2014

I re-did some of my data inputs using the same indexes as before to add actual sourcetypes this time. I'm using HWF instead of UF to send data to my indexer. I can now search "index=my_index sourcetype=my_sourcetype", but when my search is just "sourcetype=my_sourcetype", it returns no results over the same time period. Is there a way to fix that? It happened with a couple of sourcetypes, but not all of them.

MartinMcNutt · ‎10-14-2014

This may be a security related issue as "Indexes searched by default" will cause the user to only search which he/she is provisioned for.

Check the role that is assigned to the user. Verify that my_index is in that list.

(edit weird post bug)

View solution in original post

MartinMcNutt · ‎10-14-2014

This may be a security related issue as "Indexes searched by default" will cause the user to only search which he/she is provisioned for.

Check the role that is assigned to the user. Verify that my_index is in that list.

(edit weird post bug)

craigkleen · ‎10-14-2014

Yeah, that's it. Thanks!

acharlieh · ‎10-14-2014

If I had to guess, the sourcetypes that return results are not returning results from my_index, but rather from other indexes? (check out the interesting fields)

Why does my sourcetype= search return no results, but pairing with index= does?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases