Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

After restoring a CSV based index, why are searches using fields or wildcards not returning results?

szaboszilard
Path Finder
‎08-14-2015 01:06 AM

Hi

I have a big big problem. I restored a csv based index. (MS Exchange mail track log)
The restored data is big, over 100GB.

When I'm starting a search specified by fields or "*data*" the search does not find anything. (The search process is very fast)
I'm exported some restored data, and I executed an grep command on it and found what I'm looking for.

Any idea, why I can't search in Splunk via fields or wildcard?

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:20 PM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:20 PM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false
Reply
Solved! Jump to solution

szaboszilard
Path Finder
‎09-16-2015 06:57 AM

On left side at field list i can see the total unique fields count and the top 10 fields value.
I try to select one field value from field list, but the result is the same. No results, but is it in the index.

I can't understand why not works.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-21-2015 01:36 PM

There isn't any stanza problem, my search was running in verbose mode. So switch back to verbose mode, I assume you're in fast mode now.

Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.6/Search/Changethesearchmode to learn more about the search modes.

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-14-2015 03:11 AM

just to clarify, you can see the data in splunk looking only at the index, right? if so:

  • check if you are searching using smart or verbose mode while searching.
  • check if you have the props stanza for the sourcetype assigned to the events. (run this ./splunk btool props list --debug)
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

szaboszilard
Path Finder
‎09-16-2015 06:35 AM

There isn't any stanza problem, my search was running in verbose mode.
When i click to an event i can see the correct fields.
When i use a field in search, the process ends very fast without result.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...