Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Howcome additional condition increases result count?

shai
Explorer
‎10-10-2023 09:56 PM

my question is very simple. 

This returns nothing:

 

sourcetype=my_sourcetype

 

This returns X amount of events (same amount as index=my_index):

 

index=my_index AND sourcetype=my_sourcetype

 

Search is in: Verbose Mode
what am I missing?! 
howcome another filter returns more events?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 06:53 AM

Hi @shai ,

in the [Settings > Roles > Indexes] Tab, are your index flagged also in the Default column?

gcusello_0-1697118743593.png

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 11:25 PM

Hi @shai,

this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes].

Anyway, it's always a best practice to use the index filter in every search, trying to limit the indexes to only the ones where the log to search are stored: this approach redduces the time search.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 04:01 AM

Hi @gcusello 
Thank you for your response

However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. So can you explain what else I might be missing?

Note that I witnessed this issue not only with indexes but with sourcetype.
for example searching for field=value yielded zero results but searching field=value AND sourcetype=certail_type did return results... 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 04:58 AM

Hi @shai,

which Mode are you using in your searches?

did you try to use Verbose Mode?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 06:26 AM

hi @gcusello 
as written in the original post the mode is Verbose.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 06:53 AM

Hi @shai ,

in the [Settings > Roles > Indexes] Tab, are your index flagged also in the Default column?

gcusello_0-1697118743593.png

Ciao.

Giuseppe

Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 07:45 AM

@gcusello 
marking as default solved the issue. thank you very much.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 07:50 AM

Hi @shai,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...