Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Source and sourcetype filtering no longer working after upgrade

ufotech
Explorer
‎01-10-2018 12:59 AM

After upgrade from Splunk 6.2. to 6.6.3 having large existing indexes, any search by either source or sourcetype does no longer work. I.e. "No results found. Try expanding the time range"

Indeed, both fields are present in all events as can be seen if not filtering in the search-line.
Even statistics work.
If I do " * | stats count by source" , then I get a perfect list of all sources having a count of events.

But sill, clicking on a source and "Add to search" will add it to the search-line and return an empty result.

Any Ideas where it goes wrong?

I do find some errors in log, such as:
WordPositionData - couldn't find tab delim
or warnings
reason='couldn't parse hash code:

can this be a reason?

Thanks

0 Karma
Reply

ufotech
Explorer
‎01-15-2018 02:20 AM

Thanks for the hint.

I did all I found
- $SPLUNK_HOME/bin/splunk fsck repair --all-buckets-all-indexes
- $SPLUNK_HOME/bin/recover-metadata $SPLUNK_DB/$i/db/$d (looping over index/db)
and it took days....

However, still having the same log-entries and cannot search for either of Source, Sourcetype nor Host. Fortunately I can do this on a test-installation, where the issues are exactly the same as on the productive environment. Once I find a solution, this has to be fixed on the real one.

More ideas?
Thanks

0 Karma
Reply

ufotech
Explorer
‎01-18-2018 04:52 AM

There seems to be no solution to that problem.

What, if I had started from scratch?
How would I import the existing data into the new DB?
When importing data, how do I define the index where they have to go to?

Any help is appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...