Solved: simple search sourcetype=X finds events but wont d...

asmithe · ‎03-03-2014

this search: index=flowspaces sourcetype=auditlog produces search results that are not displayed in the ui.

if fields are forced, events are displayed.

asmithe · ‎03-03-2014

Argh.

I mistakenly overwrote a newer props.conf with one with a bad eval on _time.

That'll do it every time...

View solution in original post

asmithe · ‎03-03-2014

Argh.

I mistakenly overwrote a newer props.conf with one with a bad eval on _time.

That'll do it every time...

asmithe · ‎03-03-2014

The captcha wont let me edit my OP. sorry.

this search:

index=flowspaces sourcetype=auditlog

produces search results that are not displayed in the ui.

if fields are forced, events are displayed.

e.g.

index=flowspaces sourcetype=auditlog | fields extracted-field1 extracted-field2

This is a big problem for some very large search queries which rely on that sourcetype - the necessary data is available but not showing up in the searches and makes all saved searches useless.

simple search sourcetype=X finds events but wont display them - unless field is forced

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

simple search sourcetype=X finds events but wont display them - unless field is forced

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers