Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can't I search by Source using HUNK?

EricLloyd79
Builder
‎06-28-2018 10:32 AM

We currently use HUNK and have a virtual index to search a MapRFS. When I run the search I can clearly see that source kpis are created showing where the file is. When I click on it and choose Add to Search, it doesn't find any results - which makes no sense at all.

Anyone else seen this behavior?

0 Karma
Reply

rdagan_splunk
Splunk Employee
Splunk Employee
‎07-02-2018 01:43 PM

At least based on my test, using ' source ' worked as expected. It tried these two options:
index=avrodata source="/user/root/data/Avro/20150625/x/20150625.avro" | stats count
and
index=avrodata | stats count by source

0 Karma
Reply

EricLloyd79
Builder
‎08-01-2018 08:02 AM

This still does not work for me. I will search index=mapr | stats count in Verbose mode, then click on one of the hosts to add it to the search so I know its there and it produces a search query like:
index=mapr source="abc/xyz.log | stats count
But now no results are returned.

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
‎06-29-2018 10:44 AM

Hi. I just tested in 2 different Spunk environments: Splunk 6.6.4 and 6.6.8.

In both cases I could search for 

index=foo sourcetype=bar

OR 

index=* sourcetype=bar

And I did get records.

I suggest you do your search that gets data and try 

  index=foo | stats count by sourcetype

Just to confirm.. And also share your configs. Do you have the stanza in props.conf that is something like

[source::/path/to/hdfs/...]
priority          = 123
sourcetype        = bar
0 Karma
Reply

EricLloyd79
Builder
‎06-29-2018 10:55 AM

I am trying to search by SOURCE
not SOURCETYPE

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...