Splunk Search
Highlighted

Not able to search with some fields

Hello All
I am not sure, why i am not able to use search like

host=*

but if i search like

index=* host=* 

then it will work.

Not sure why. I need to use more fields to start searching but some are working some are not.

0 Karma
Highlighted

Re: Not able to search with some fields

Legend

@vishaltaneja07011993 You can use Access Control in Splunk to define some default index which can be search by your user role without defining the index= in the search query.

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Add_or_edit_a_role




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Not able to search with some fields

Hello @niketnilay

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

0 Karma
Highlighted

Re: Not able to search with some fields

Legend

@vishaltaneja07011993 I am not sure why that is not working. If proper access has been provisioned this should work out of the box. You should raise a Splunk Support case to have them look into configuration issue.

What are the indexes that show up when you run the following query?

| tstats count where index=* by index



| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: Not able to search with some fields

It is giving mostly all the indexes

0 Karma
Highlighted

Re: Not able to search with some fields

SplunkTrust
SplunkTrust

Hi @vishaltaneja07011993,

This is because running host=* is the equivalent of running index="your user's role default searched indexes" host=* .

If your requirement is that index=* host=* and host=* give you the same results then you need to add all your indexes to the list of indexes searched by default for your role.

To do so you can change this under Settings » Access controls » Roles » Your Role » Default indexes

Let me know if that helps.

Cheers,
David

0 Karma
Highlighted

Re: Not able to search with some fields

Hello @DavidHourani

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

0 Karma
Highlighted

Re: Not able to search with some fields

SplunkTrust
SplunkTrust

In the role you have two configs : Indexes searched by defaultand Indexesare they both set to All non Internal indexes ?

0 Karma
Highlighted

Re: Not able to search with some fields

Hello @davidhourani

yes
For Indexes searched by default

it is having All Non Internal indexes
& for indexes search one has both All Non Internal Indexes & All Internal Indexes

0 Karma
Highlighted

Re: Not able to search with some fields

SplunkTrust
SplunkTrust

you have the same when running a search with sourcetype=* instead of host=* ?

0 Karma