Solved: Re: Cannot search using sourcetype but can search ...

KarunK · ‎11-07-2011

Hi,

I have an app in my server, which is monitoring a directory (D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90) for a set of logs.
eg: mms_export_e_wms_90_10.152.59.75_20111107_185001_47217

When i search using the idex i can see the results. But not with sourcetype.
Can i get some advise ?

Thanks

index="mms_export_e_wms_90" - works fine
index="mms_export_e_wms_90" sourcetype="mms_export_e_wms_90" - Also works fine

But - sourcetype="mms_export_e_wms_90" - gives me no results

My config files are as below.

input.conf

[monitor://D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90]
disabled = false
crcSalt =
followTail = 0
host =
host_regex = (?i)[^\s]+mms_export_e_wms_90_(\d+.\d+.\d+.\d+)_\d+
index = mms_export_e_wms_90
sourcetype = mms_export_e_wms_90

props.conf

[mms_export_e_wms_90]
pulldown_type = true
KV_MODE=none
TRANSFORMS-comment = hash_comment
SHOULD_LINEMERGE=false
TZ=UTC
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s
TIME_FORMAT=%Y-%m-%d %T
REPORT-fields = mms_export_e_wms_90_fields
EXTRACT-uri_schema = (?i)^(?:[^\s]* ){47}((?[^:/?#]+):)?(//(?[^/?#]))?(?[^?#|\s])(\?(?[^#|^\s]))?(#(?.[^\s]))?

transforms.conf

[hash_comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[mms_export_e_wms_90_fields]
DELIMS = " "
FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"

araitz · ‎11-07-2011

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

View solution in original post

araitz · ‎11-07-2011

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

kurtus · ‎05-17-2012

This also worked for me. Thanks!

araitz · ‎11-07-2011

Sure thing. Be sure to vote up my answer 🙂

KarunK · ‎11-07-2011

Perfect!!!!!
It worked.
Thanks. Appreciate that.

Cannot search using sourcetype but can search with index

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation