Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I get results for metadata searches, but why do I get 0 search results running regular searches on my new Splunk 6.2.3 search head?

ltrand
Contributor
‎06-08-2015 07:28 AM

Hello Splunkverse,

I've recently set up a new Search Head to test 6.2.3 and it looks awesome. I do have one major issue however that I can't seem to figure out. When I do metadata searches, I can get results. When I use the new Deployment Console, everything is correct. However, when I try to do regular searches I always get 0 results, regardless of the indexes I search. Any thoughts as to what I might have missed in configuration? All indexers are on 6.1.3.

Thanks!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 08:51 AM

Give us an example of a "regular search". I find it hard to believe that, if you have your peering correct, that you don't get results. Perhaps you are in the (very bad) habit of relying on "indexes searched by default" and maybe you have no data in index main. That would make searches like sourcetype=bar fail when a search like index=foo sourcetype=bar works.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-08-2015 08:51 AM

Give us an example of a "regular search". I find it hard to believe that, if you have your peering correct, that you don't get results. Perhaps you are in the (very bad) habit of relying on "indexes searched by default" and maybe you have no data in index main. That would make searches like sourcetype=bar fail when a search like index=foo sourcetype=bar works.

Reply
Solved! Jump to solution

ltrand
Contributor
‎06-12-2015 07:54 AM

Thanks, I didn't realize the default admin was limited in searching!

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-08-2015 07:34 AM

You forgot to peer your new Search Head to your existing indexers: Settings -> Distributed search -> Search peers.

0 Karma
Reply
Solved! Jump to solution

ltrand
Contributor
‎06-08-2015 08:37 AM

Thanks for the attempt. All indexers in my environment are listed as search peers for me and have a up status with successful replication.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...