Why am I getting 0 results when trying to filter m...

szabados · ‎08-16-2016

I'm facing an issue which I'm simply unable to understand

I ran a search, simply by specifying the index I want to search in like this:

index=my_index

After this, I selected one of the values which were displayed in the top 10 for the sourcetype field, and added it to my search, so I had:

index=my_index sourcetype=my:sourcetype

And then, I got 0 results. I haven't changed the time picker or anything else, and I'm unable to understand why I'm not getting any results. Checking with the metadata command, I have thousands of events with this sourcetype in the index, and Splunk is displaying this sourcetype in the values of the field, but for some reason I can't run a search for it.

Edit:

When I'm not narrowing my search with that filer, I see the events with that particular sourcetype

Edit2:

Searching with:

index=my_index sourcetype=*

is not yielding any events with this problematic sourcetype.
The sourcetype itself if set by props.conf, could this cause any issues?

sundareshr · ‎08-16-2016

Check with your Splunk admin. It is possible to restrict access to specific sourcetypes

http://docs.splunk.com/Documentation/Splunk/6.2.4/Security/Addandeditroleswithauthorizeconf#Search_f...

inventsekar · ‎08-16-2016

Maybe, add double quotes around source type.

index=my_index sourcetype="my:sourcetype"

szabados · ‎08-16-2016

Yes, when I clicked the value from the list, it automatically added, it didn't work either

inventsekar · ‎08-16-2016

Simply when you search for

sourcetype=my:sourcetype

what it returns

Why am I getting 0 results when trying to filter my search by including a specific sourcetype?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk