I have a splunk acct that i login to via vpn. The issue is that when i use the "search" area i cannot get an output but i when i use the "find" area for the same query, i get my output. Is there a way the change that? I just want to put my query in the "search" area to get my output.
Welcome to Splunk!
Please help us to help you. What do you mean by "search area" and "find area"? What text are you putting into each? What are you trying to get for output?
In the search, if I put index=“_internal” I won’t get anything but if I go on the top right corner and put the same query I will get an output.
If you put "index=_internal" in the Find box then you should get a list of reports and dashboards that contain that string. The last entry should be "Open 'index=_internal' in Search. Clicking that should be the same as putting "index=_internal" in a search box.
Do you have access to the _internal index? Usually, only admins and (sometimes) power users have access. Not having access to the index would explain why you get no results from the Search box (no, Splunk won't say "you don't have access"). OTOH, if the Find box turns up a report that runs as Owner and the owner has access then you will see results.
Hi Richgalloway,
yes, I am one of the admins on the acct. I have to find out whether I have access to the index. How would i find out?
If you are an admin then you should have access to _internal. Try searching index=_internal earliest=-1h. If you get results then you have access.
Another way is to go to Settings->Users and look at your account.
I checked my acct again. I am admin, can_delete, power, Splunk-system-role, user
Do you think it's the VPN link that I'm using to get to Splunk?
In addition to looking at your capabilities, look at the indexes you are allowed to access. Do that by going to Settings->Roles and clicking on your role. Then select the Indexes tab. There should be a mark in the _internal box.