I assume that searching with source=* should work? What could be the reason that this query works:
12/03/2013 12:15:46.000 ResponseTimems=101
host=l2-iamprdagw04.nl.rsg sourcetype=appman:Script source=heartbeat-randstadnet@l2-iamprdagw04
And this not:
index=prd_stats sourcetype=appman:* source=heartbeat*
You search has implied AND. Splunk inserts AND between search terms.
This is what your search is accutually.
index=prd_stats AND sourcetype=appman:* AND source=heartbeat*
This is what I think you trying to do
index=prd_stats AND (sourcetype="appman:*" OR source="heartbeat*")
index=prd_stats AND sourcetype="appman:*" AND source="heartbeat*"
To avoid confusion I explictly define all my boolean search operators.
Hope this helps or gets you started. If it does help dont forget to accept and/or vote up.
View solution in original post