Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search not working after migration to new Splunk cluster

morphis72
Path Finder
‎09-11-2019 03:15 PM

I have migrated my data collections from an older Splunk instance to a new clustered environment and am having issues with searches.

The old environment was running Splunk 6.5.2
The new environment is running Splunk 7.2.4

The data appears to be coming in correctly. The props and transforms seem to be firing correctly. When I do a side by side compare of logs in legacy and in new they appear to be identical.

In the below example search I am trying to run, if I peel off everything starting with the first rex all the way to the end I get the logs. But if I put back anything including or after that first rex the query runs through the logs and returns nothing. This exact query is working in my legacy Splunk on the same data.

index=<myindex> "GROUP USER - FINAL RESPONSE" OR ("UiInteractionHoldingsServicesImpl" AND "getHoldingsData ::  retail HoldingsList" AND NOT "retail HoldingsList size: 0") OR ("parsePandCHoldings :: pnc HoldingsList" AND NOT "PnC holdingsList size: 0") sourcetype=servicelog* | rex "id=(?<sess>.*):lv=(?<lv>.*):ss=(?<ss>.*)" | convert timeformat="%Y-%m-%d %H" ctime(_time) AS date  | dedup sess date | rex ":: - (?<user_type>.*) USER - FINAL RESPONSE" | rex "getHoldingsData ::  (?<user_type>.*) HoldingsList" | rex "parsePandCHoldings :: (?<user_type>.*) HoldingsList" | eval new_user_type = case(user_type="GROUP", "Group", user_type="retail", "Retail", user_type="pnc", "Auto and Home", 1=1, user_type)  |stats count by new_user_type | collect
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-12-2019 01:38 AM

Hi morphis72,
a stupid question?
whats your architecture? do you have Search Heads and clustered Indexers or only clustered Indexers?
because from the 7.x.x version, if you have a clustered Indexer you cannot run searches on it, you must use a Search Head!
Bye.
Giuseppe

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2019 05:13 PM

Are you sure about where the query breaks? rex does not filter events so anything in the base query should make it through everything up to dedup.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

morphis72
Path Finder
‎09-11-2019 06:27 PM

If I pull off | Rex —>

I get events. Put it on and I see the event counts but it matches nothing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...