Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

"New Search" function of Table view misses Index

testuser013
New Member
‎04-10-2025 06:18 AM

Hello,

today I have found a bug(?) in the "New Search" function from the Table view.

What I do mean with the "New Search" function:

Run a search and select the table view (not raw or list). Then click on one of the shown values of a field, for example the value of a host field, and select "New Search".

Now a new search starts with the selected field+value, but instead of using the same index(es) from the view before, only a * will be used.

As we do not have defined any default indexes in our environment those searches won't return any results, because no index is included ín the search. Is there a possibility how I can reconfigure this, instead of a plain asterisk?

 

Best Regards.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-10-2025 09:19 AM

The same happens with 9.4.1 - perhaps it is a feature? But, tbh, it sounds like a bug. Raise a ticket and see what support say?

0 Karma
Reply

testuser013
New Member
‎04-10-2025 07:17 AM

Hi,

we do use Version 9.2.4.

The behaviour is independent of the search complexity. It also doesn't change if I search internal logs or through several indexes. The index(es) will always be replaced by an *

The behaviour is also the same within the list view, so it's not only table view related.

 

BR

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-10-2025 06:52 AM

Hi

Which version of Splunk are you running? For me when I click on a "New Search" in either table view or list view I get the same behaviour, which in my example did index=_internal (Which I had searched) and added the field I clicked. 

Does it differ if you have a more complex query? 

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...