Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can't I search by Source using HUNK?

EricLloyd79
Builder
‎06-28-2018 10:32 AM

We currently use HUNK and have a virtual index to search a MapRFS. When I run the search I can clearly see that source kpis are created showing where the file is. When I click on it and choose Add to Search, it doesn't find any results - which makes no sense at all.

Anyone else seen this behavior?

0 Karma
Reply

rdagan_splunk
Splunk Employee
Splunk Employee
‎07-02-2018 01:43 PM

At least based on my test, using ' source ' worked as expected. It tried these two options:
index=avrodata source="/user/root/data/Avro/20150625/x/20150625.avro" | stats count
and
index=avrodata | stats count by source

0 Karma
Reply

EricLloyd79
Builder
‎08-01-2018 08:02 AM

This still does not work for me. I will search index=mapr | stats count in Verbose mode, then click on one of the hosts to add it to the search so I know its there and it produces a search query like:
index=mapr source="abc/xyz.log | stats count
But now no results are returned.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎06-29-2018 10:44 AM

Hi. I just tested in 2 different Spunk environments: Splunk 6.6.4 and 6.6.8.

In both cases I could search for 

index=foo sourcetype=bar

OR 

index=* sourcetype=bar

And I did get records.

I suggest you do your search that gets data and try 

  index=foo | stats count by sourcetype

Just to confirm.. And also share your configs. Do you have the stanza in props.conf that is something like

[source::/path/to/hdfs/...]
priority          = 123
sourcetype        = bar
0 Karma
Reply

EricLloyd79
Builder
‎06-29-2018 10:55 AM

I am trying to search by SOURCE
not SOURCETYPE

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...