Splunk Search

Cannot search using sourcetype but can search with index

KarunK
Contributor

Hi,

I have an app in my server, which is monitoring a directory (D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90) for a set of logs.
eg: mms_export_e_wms_90_10.152.59.75_20111107_185001_47217

When i search using the idex i can see the results. But not with sourcetype.
Can i get some advise ?

Thanks

index="mms_export_e_wms_90" - works fine
index="mms_export_e_wms_90" sourcetype="mms_export_e_wms_90" - Also works fine

But - sourcetype="mms_export_e_wms_90" - gives me no results

My config files are as below.

input.conf

[monitor://D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90]
disabled = false
crcSalt =
followTail = 0
host =
host_regex = (?i)[^\s]+mms_export_e_wms_90_(\d+.\d+.\d+.\d+)_\d+
index = mms_export_e_wms_90
sourcetype = mms_export_e_wms_90

props.conf

[mms_export_e_wms_90]
pulldown_type = true
KV_MODE=none
TRANSFORMS-comment = hash_comment
SHOULD_LINEMERGE=false
TZ=UTC
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s
TIME_FORMAT=%Y-%m-%d %T
REPORT-fields = mms_export_e_wms_90_fields
EXTRACT-uri_schema = (?i)^(?:[^\s]* ){47}((?[^:/?#]+):)?(//(?[^/?#]))?(?[^?#|\s])(\?(?[^#|^\s]))?(#(?.[^\s]))?

transforms.conf

[hash_comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue

[mms_export_e_wms_90_fields]
DELIMS = " "
FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"

Tags (1)
1 Solution

araitz
Splunk Employee
Splunk Employee

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

View solution in original post

araitz
Splunk Employee
Splunk Employee

You need to add the mms_export_e_wms_90 index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90 to the selected indexes list under "Indexes searched by default".

Click "Save" to complete the action, and now you can try your search again without the index specification.

kurtus
Engager

This also worked for me. Thanks!

0 Karma

araitz
Splunk Employee
Splunk Employee

Sure thing. Be sure to vote up my answer 🙂

KarunK
Contributor

Perfect!!!!!
It worked.
Thanks. Appreciate that.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...