Splunk Enterprise

Why is search area not giving me output when used?

ludjunior
New Member

I have a splunk acct that i login to via vpn. The issue is that when i use the "search" area i cannot get an output but i when i use the "find" area for the same query, i get my output. Is there a way the change that? I just want to put my query in the "search" area to get my output.

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Welcome to Splunk!

Please help us to help you.  What do you mean by "search area" and "find area"?  What text are you putting into each?  What are you trying to get for output?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ludjunior
New Member

In the search, if I put index=“_internal” I won’t get anything but if I go on the top right corner and put the same query I will get an output. 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you put "index=_internal" in the Find box then you should get a list of reports and dashboards that contain that string.  The last entry should be "Open 'index=_internal' in Search.  Clicking that should be the same as putting "index=_internal" in a search box.

Do you have access to the _internal index?  Usually, only admins and (sometimes) power users have access.  Not having access to the index would explain why you get no results from the Search box (no, Splunk won't say "you don't have access").  OTOH, if the Find box turns up a report that runs as  Owner and the owner has access then you will see results.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ludjunior
New Member

Hi Richgalloway, 

yes, I am one of the admins on the acct. I have to find out whether I have access to the index. How would i find out? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If you are an admin then you should have access to _internal.  Try searching index=_internal earliest=-1h.  If you get results then you have access.

Another way is to go to Settings->Users and look at your account.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ludjunior
New Member

I checked my acct again. I am admin, can_delete, power, Splunk-system-role, user

Do you think it's the VPN link that I'm using to get to Splunk? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In addition to looking at your capabilities, look at the indexes you are allowed to access.  Do that by going to Settings->Roles and clicking on your role.  Then select the Indexes tab.  There should be a mark in the _internal box.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...