Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Howcome additional condition increases result count?

shai
Explorer
‎10-10-2023 09:56 PM

my question is very simple. 

This returns nothing:

 

sourcetype=my_sourcetype

 

This returns X amount of events (same amount as index=my_index):

 

index=my_index AND sourcetype=my_sourcetype

 

Search is in: Verbose Mode
what am I missing?! 
howcome another filter returns more events?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 06:53 AM

Hi @shai ,

in the [Settings > Roles > Indexes] Tab, are your index flagged also in the Default column?

gcusello_0-1697118743593.png

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2023 11:25 PM

Hi @shai,

this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes].

Anyway, it's always a best practice to use the index filter in every search, trying to limit the indexes to only the ones where the log to search are stored: this approach redduces the time search.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 04:01 AM

Hi @gcusello 
Thank you for your response

However it does not explain the odd behaviour because I use admin Role and in the setting page that you have referred me to, all the indices are included. So can you explain what else I might be missing?

Note that I witnessed this issue not only with indexes but with sourcetype.
for example searching for field=value yielded zero results but searching field=value AND sourcetype=certail_type did return results... 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 04:58 AM

Hi @shai,

which Mode are you using in your searches?

did you try to use Verbose Mode?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 06:26 AM

hi @gcusello 
as written in the original post the mode is Verbose.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 06:53 AM

Hi @shai ,

in the [Settings > Roles > Indexes] Tab, are your index flagged also in the Default column?

gcusello_0-1697118743593.png

Ciao.

Giuseppe

Reply
Solved! Jump to solution

shai
Explorer
‎10-12-2023 07:45 AM

@gcusello 
marking as default solved the issue. thank you very much.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-12-2023 07:50 AM

Hi @shai,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...