Hi,
I have a BlueCoat Proxy log in main index
if I run
index="main" sourcetype="bcoat_proxysg" cn="*" | head 10
Splunk returns first 10 events which have cn="*", good!
but if I run
index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
Splunk returns 0 events !
I tried to figure out what is the problem, so I run
index="main" sourcetype="bcoat_proxysg" cn="*" | head 10 | fields cn | format
Splunk returns :
( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )
then I tried this :
index="main" sourcetype="bcoat_proxysg" cn="*" ( ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) OR ( cn="Sales" ) )
Splunk returns many events which has cn="Sales"
so, I don't know why I got 0 event when I use search command as below :
index="main" sourcetype="bcoat_proxysg" [search sourcetype="bcoat_proxysg" cn="*" | head 10 |fields cn | format]
any further response on this please.
Do you have any fields set to the literal asterisk? We have some trouble with that sort of thing.
There might be a bug such that subsearches do not perform "Private" extractions correctly. Is the field extraction for the the cn
field either "App" or "Global", or is it "Private"?
Hi Gkanapathy, here is another case we filed yesterday : http://answers.splunk.com/questions/5296/field-extraction-stopped-working-after-upgrade-from-4-1-3-t... . I don't know if it is the same problem, thanks.
Hi Jrodman , gkanapathy,
thanks for your reply.
because the filed "cn" was extracted by Splunk automatically , not by user, so I think "cn" is not private field.
the event looks like :
2010-4-22 10:27:29 83 10.103.1.215 anthony.keller cn=Sales,ou=groups,dc=acme,dc=com - OBSERVED "Web Advertisements" http://view.atdmt.com/VON/iview/yhxxxvos0160000076von/direct/01/?time=1190758799040297&click=http://... 200 TCP_HIT GET image/gif http spe.atdmt.com 80 ...
There's definitely a bug that subsearches don't look at per-user data. Andrea is working on it.