Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can I not search in Smart Mode or Verbose Mode in a specific sourcetype?

matthewssa
Path Finder
‎02-01-2018 12:38 PM

Hi!

I am trying to perform a very basic search to bring back results but the search appears to never finish when I queue it up for a specific index and sourcetype in either Smart Mode or Verbose Mode. What is puzzling is the results are only 601 events which is not much at all. I have checked other sourcetypes in the same index and they appear to be working with no issue when running them in Smart Mode and Verbose Mode.

This search will not finish in either Smart Mode or Verbose Mode Last 15 minutes:

index=bro sourcetype=bro_smtp

This search will finish in Fast Mode Last 15 minutes: Results 601 events.

index=bro sourcetype=bro_smtp
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-01-2018 12:47 PM

I bet you have a regex that is misbehaving. Did you recently add a search time extraction? If so, what does the regex look like?

I've had this happen a few times when a regex wasn't specific enough and would essentially have infinite matches or possible matches.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎02-01-2018 12:47 PM

I bet you have a regex that is misbehaving. Did you recently add a search time extraction? If so, what does the regex look like?

I've had this happen a few times when a regex wasn't specific enough and would essentially have infinite matches or possible matches.

Reply
Solved! Jump to solution

matthewssa
Path Finder
‎02-01-2018 03:07 PM

I did pull over the same Bro app that has all of our parsing inside the app from another one of our Splunk instances. I commented out all of the entries in our transforms.conf file in the Bro app on one of our indexers and tried to search the field bro_smtp in verbose mode and what do you know! It works! I guess now I just need to go back through and figure out which one broke that sourcetype. Thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...