Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"New Search" function of Table view misses Index

testuser013
New Member
‎04-10-2025 06:18 AM

Hello,

today I have found a bug(?) in the "New Search" function from the Table view.

What I do mean with the "New Search" function:

Run a search and select the table view (not raw or list). Then click on one of the shown values of a field, for example the value of a host field, and select "New Search".

Now a new search starts with the selected field+value, but instead of using the same index(es) from the view before, only a * will be used.

As we do not have defined any default indexes in our environment those searches won't return any results, because no index is included ín the search. Is there a possibility how I can reconfigure this, instead of a plain asterisk?

 

Best Regards.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-10-2025 09:19 AM

The same happens with 9.4.1 - perhaps it is a feature? But, tbh, it sounds like a bug. Raise a ticket and see what support say?

0 Karma
Reply

testuser013
New Member
‎04-10-2025 07:17 AM

Hi,

we do use Version 9.2.4.

The behaviour is independent of the search complexity. It also doesn't change if I search internal logs or through several indexes. The index(es) will always be replaced by an *

The behaviour is also the same within the list view, so it's not only table view related.

 

BR

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-10-2025 06:52 AM

Hi

Which version of Splunk are you running? For me when I click on a "New Search" in either table view or list view I get the same behaviour, which in my example did index=_internal (Which I had searched) and added the field I clicked. 

Does it differ if you have a more complex query? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...