Hi,
I have an app in my server, which is monitoring a directory (D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90) for a set of logs.
eg: mms_export_e_wms_90_10.152.59.75_20111107_185001_47217
When i search using the idex i can see the results. But not with sourcetype.
Can i get some advise ?
Thanks
index="mms_export_e_wms_90" - works fine
index="mms_export_e_wms_90" sourcetype="mms_export_e_wms_90" - Also works fine
But - sourcetype="mms_export_e_wms_90" - gives me no results
My config files are as below.
input.conf
[monitor://D:\Custom Install\Splunk_Sample_Data\Splunk_Pdn_Sample_Data\mms_export_e_wms_90]
disabled = false
crcSalt =
props.conf
[mms_export_e_wms_90]
pulldown_type = true
KV_MODE=none
TRANSFORMS-comment = hash_comment
SHOULD_LINEMERGE=false
TZ=UTC
TIME_PREFIX=\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\s
TIME_FORMAT=%Y-%m-%d %T
REPORT-fields = mms_export_e_wms_90_fields
EXTRACT-uri_schema = (?i)^(?:[^\s]* ){47}((?
transforms.conf
[hash_comment]
REGEX = ^#
DEST_KEY = queue
FORMAT = nullQueue
[mms_export_e_wms_90_fields]
DELIMS = " "
FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"
You need to add the mms_export_e_wms_90
index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90
to the selected indexes list under "Indexes searched by default".
Click "Save" to complete the action, and now you can try your search again without the index specification.
You need to add the mms_export_e_wms_90
index to your default index list. You can do that via Manager > Access Controls > Roles > Your Role and then add mms_export_e_wms_90
to the selected indexes list under "Indexes searched by default".
Click "Save" to complete the action, and now you can try your search again without the index specification.
This also worked for me. Thanks!
Sure thing. Be sure to vote up my answer 🙂
Perfect!!!!!
It worked.
Thanks. Appreciate that.