Splunk Search

Cannot search using sourcetype but can search with index

KarunK
Contributor

Hi,

I have an app in my server, which is monitoring a directory (D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90) for a set of logs.
eg: mms_export_e_wms_90_10.152.59.75_20111107_185001_47217

When i search using the idex i can see the results. But not with sourcetype.
Can i get some advise ?

Thanks

index="mms_export_e_wms_90" - works fine
index="mms_export_e_wms_90" sourcetype="mms_export_e_wms_90" - Also works fine

But - sourcetype="mms_export_e_wms_90" - gives me no results

My config files are as below.

input.conf

[monitor://D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90]
disabled = false
crcSalt =
followTail = 0
host =
host_regex = (?i)[^\s]+mms_export_e_wms_90_(\d+.\d+.\d+.\d+)_\d+
index = mms_export_e_wms_90
sourcetype = mms_export_e_wms_90

props.conf

[mms_export_e_wms_90]
pulldown_type = true
KV_MODE=none
TRANSFORMS-comment = hash_comment
SHOULD_LINEMERGE=false
TZ=UTC
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s
TIME_FORMAT=%Y-%m-%d %T
REPORT-fields = mms_export_e_wms_90_fields
EXTRACT-uri_schema = (?i)^(?:[^\s]* ){47}((?[^:/?#]+):)?(//(?[^/?#]))?(?[^?#|\s])(\?(?[^#|^\s]))?(#(?.[^\s]))?

transforms.conf

[hash_comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[mms_export_e_wms_90_fields]
DELIMS = " "
FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"

Tags (1)
1 Solution

araitz
Splunk Employee
Splunk Employee

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

View solution in original post

araitz
Splunk Employee
Splunk Employee

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

kurtus
Engager

This also worked for me. Thanks!

0 Karma

araitz
Splunk Employee
Splunk Employee

Sure thing. Be sure to vote up my answer 🙂

KarunK
Contributor

Perfect!!!!!
It worked.
Thanks. Appreciate that.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...