This is because running
host=* is the equivalent of running
index="your user's role default searched indexes" host=* .
If your requirement is that
index=* host=* and
host=* give you the same results then you need to add all your indexes to the list of indexes searched by default for your role.
To do so you can change this under Settings » Access controls » Roles » Your Role » Default indexes
Let me know if that helps.
@vishaltaneja07011993 You can use Access Control in Splunk to define some default index which can be search by your user role without defining the
index= in the search query.
Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Add_or_edit_a_role
@vishaltaneja07011993 I am not sure why that is not working. If proper access has been provisioned this should work out of the box. You should raise a Splunk Support case to have them look into configuration issue.
What are the indexes that show up when you run the following query?
| tstats count where index=* by index