Splunk Search

Host field without wildcards returns no results

Path Finder

If I run a search that says * host=*somehost*, I get results back. If I remove the wildcards around the host field and only run index=blah host=somehost, then nothing is returned.

The host field is just "somehost" (without quotes). If I go to the selected fields sidebar and select "somehost" out of the values of host, it generates the search * host=*somehost* host="somehost" and returns no results. Same if I select the "somehost" value out of an event returned from the wildcard search and generate a new search from that.

What would cause Splunk to require that there are wildcards around this hostname?

0 Karma

New Member

it seems like your host is not in the blah index,

make sure the host resides in right index

try search:
index=* host=somehost

0 Karma

Path Finder

That returns no results.

Any search where the host field for this particular host does not have wildcards around it returns no results.

0 Karma