Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Search only works if Sourcetype is specified

amtoyo
Loves-to-Learn
‎05-06-2021 06:17 PM

So I have this very strange problem. We have 2 SearchHead environments. 1 SearchHead Cluster(7) and a Standalone Dev SearchHead. They both are connected to the same indexer Cluster.

 

A new problem appeared today. When users are searching for a key-value pair, Splunk stalls and does not bring up any results. Splunk does not terminate the search either, just stalls until I close the tab.

  See below:

amtoyo_0-1620349490400.png

 

However, the moment sourcetype is mentioned, splunk brings back searches:

amtoyo_1-1620349645583.png

 

The issue only appears on the firewall index which has several sourcetypes in there. This issue does not appear in other indexes that contain multiple sourcetypes. Just the index=firewalls

 

I was curious if the problem resided in the search head layer or indexers. So I ran the same vague search  ("index=firewalls src="*" ) on our standalone SH and indexers which both returned normal results. So the issue seems to reside on the specific Search Head Cluster.

 

Any idea?

 

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

amtoyo
Loves-to-Learn
‎05-07-2021 05:04 PM

I forgot to mention that this problem is only seen in Smart and Verbose Mode. Fast mode seems to pull the data fine with both searches from the original post

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎05-07-2021 10:45 AM

Have checked the job inspector for what's being added to the search?

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

The_Simko
Path Finder
‎05-07-2021 10:37 AM

Track down where the field is being set. It's likely a sourcetype specific field extraction or alias. 


 

0 Karma
Reply

amtoyo
Loves-to-Learn
‎05-07-2021 05:03 PM

How does Alias and renames affect data from being searched when sourcetype is not specified?  When i search with no specific sourcetype, it should pull everything, right?  This index collects data from 2 different firewalls ( Juniper and Palo Altos) . The Palo Altos undergo a sourcetype rename at ingestion to index properly.

But it shouldnt impact a vauge search as Splunk is supposed to pull everything from that index regardless of souretype. Any specific ideas I should look for aliases and renames?

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...