signature not searchable

trevlix · ‎08-03-2011

I have an odd problem. I just set up a splunk instance and its only monitoring local linux logs at the moment. The logs contain iptables logs that are feeding in correctly as I see the right fields (eventtype, signature, dst, dpt, src, action, etc.)

However, the odd thing is when I try to search on the eventtype or signature for iptables (eventtype=firewall-deny or signature=firewall), nothing comes back. This is despite the fact that when I hover over the signature field in the field discovery panel is shows 200+ events for signature=firewall.

I'm assuming the eventtype=firewall-deny is not working because it depends on signature working.

So, am I doing something wrong or is there something I need to do in order to get it working correctly?

Unister · ‎06-13-2016

I know my answer is a little late, but maybe it is helping someone else. If you started the search exactly like you showed, the or must be in uppercase:

eventtype=firewall-deny OR signature=firewall

signature not searchable

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation

signature not searchable

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]