What are the limitations with Splunk Enterprise ve...

akarivaratharaj · ‎11-07-2023

We have recently upgraded our Splunk Enterprise to the version 9.0.4. We observed that some of the behaviour in the system are different.

For example, when we run a search with timechart/stats command and without mentioning the index field, the results are same but under the Events part, it shows empty events for the respective timestamp. Below is the sample query and respective results.

host=abc sourcetype=xyz |timechart count

This was not occurring earlier. Though we don't mention the index field, the results use to populate with the respective event logs.

Not sure whether this is the expected behavior or it's a bug. Is this something which we can fix from the end user side?

Please anyone help me on this. I would also like to know the limitations or restrictions which are introduced with this Splunk version.

FelixLeh · ‎11-08-2023

The Default index in the Splunk is the main index.
The Definition is located in the indexes.conf.

defaultDatabase = <database name>

Additionally every User Role can have a custom default index assigned.
You can check the default index for a user role by going into Settings -> Roles -> Your Role -> 3. Indexes

Check if the default for the environment or your user role is the same as the index which the data is shown from when you search without an index.
Regarding the missing fields I currently have no lead.

What are the limitations with Splunk Enterprise version 9.0.4

upgrade

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation