- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am unable to search the data with sourcetype name but i can search data by index name.
i am unable to search the data with sourcetype name but i can search data by index name.Please tell what can i do to resolve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

you must update your Role(s) to include that index as part of the "Indexes searched by default."
In UI, Go to
Settings>>Access controles>>Roles>>Select specific role>>Scroll down to "Indexes searched by default">>include your index>>Click SAVE
It will update authorize.conf for specific role
and now you can search by sourcetype also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

It looks like you don't have index specified in srchIndexesDefault
in authorize.conf for specific role, so in that case when you use index=abc
you will able to search but when you type sourcetype=xyz
it will try to search in indexes which is given in srchIndexesDefault
. If you don't provide any index in srchIndexesDefault
in authorize.conf for particular role then it will not display any result when you run sourcetype=xyz
query.
