Splunk Search

Eventtype and Subsearch problem after migration

New Member

Hi everybody.

After migrating splunk from one node to another I started having problems with eventtypes and subsearch.
We have migrated everything. From apps to users. With the related authorizations.

Now when I run a search with a simple eventtype (Eventtype "example" ---> index = linux sourcetype = suse) the search does not return any results. If you manually specify the index before the eventtype then the search works and returns results (index=linux eventtype="example").
It seems like it's a problem of access to the indexes. As specifying it the eventtype works. If he has to access it only through the eventtype he can not.

I checked the various permissions and executed the eventtype from the app search. Nothing.

if I add this index at the "Indices included by default in the search" the eventtype works.

I also noticed that subsearch does not work. The subsearch does not work in a dashboard moved from the old node to the new one. But if I run it like simple search it works perfectly. The search is correct because the on the old node works. Even here it seems a problem of authorizations. I checked them and it looks like everything it's ok.

I think something happened during the migration. Although everything has been recreated in the same way.

Splunk now is at 7.0.0.

Thank you.


I noticed that if instead of using an index created by the Master Node (Indexers are clustered) I use an index created locally on one of the two nodes eventtypes work properly.
They can not operate only on the indices created by the Master Node.

0 Karma


the problem is that an architecture with two clustered indexers used each one both as Indexer and as Search Head doesn'r run on 7.0.0!
In other words executing a search with subsearches on a clustered indexer it doesn't work, there must be a Search Head!

I have this architecture on 6.4.2 and it's still running, instead on 7.0.0. probably is changed somebody in search execution so subsearches don't run if I execute this search on the Indexer.


0 Karma


It sounds like you aren't searching all indexes by default. Check your roles configuration(s) to see which indexes will be searched by default.

Settings -> Access Controls -> Roles -> (select role) -> Indexes searched by default

You will need indexes.conf on the search head to be able to select the indexes. It needs to match that of the cluster master.

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...