Splunk Search

sourcetype not visible when using user created index

timpgray
Path Finder

When I create an input and assign it to a particular index(a new one I have created) and I also assign it a custom sourcetype, the custom sourcetype is not visible in the search app.

The sourcetype and index show up in the Manager and do show events associated with them.

I can perform a search based using the specified index, but not with the specified sourcetype.

If I don't specify an index or if I specify 'main', it all works as expected. It is as if associating an index with a sourcetype makes the sourcetype invisible.

Does anyone have any suggestions what might be happening here?

Tags (3)
0 Karma
1 Solution

Drainy
Champion

I read this last night and had no sudden ideas but I've re-read it this morning and it reads a whole lot different.

The Splunk summary page on the search app is configured to ONLY look at the main index so your new sourcetype won't show there.

Point 2, by default Splunk only searches the default index (main). So if you search index=myindex it will show your sourcetype, if you search sourcetype=mysourcetype it will search main and not find it.
Do index=myindex sourcetype=mysourcetype

Out of interest, why are you using a different index? The best use-cases for another index is for testing new data or if you want to have some way to logically separate data between users (for security or other reasons)

View solution in original post

Drainy
Champion

I read this last night and had no sudden ideas but I've re-read it this morning and it reads a whole lot different.

The Splunk summary page on the search app is configured to ONLY look at the main index so your new sourcetype won't show there.

Point 2, by default Splunk only searches the default index (main). So if you search index=myindex it will show your sourcetype, if you search sourcetype=mysourcetype it will search main and not find it.
Do index=myindex sourcetype=mysourcetype

Out of interest, why are you using a different index? The best use-cases for another index is for testing new data or if you want to have some way to logically separate data between users (for security or other reasons)

Drainy
Champion

No worries, I managed to make a complete hash of trying to fix it! I had a similar event last week where I swear something that was working stopped working, but it couldn't have worked without a certain param defined.. I had witnesses too! but of course they can't remember now 😛 Feel free to click the tick to accept if its helped! (and/or upvote) 🙂

0 Karma

timpgray
Path Finder

I meant to comment on your answer, but posted it in the wrong place - see the next answer below. Thanks

0 Karma

timpgray
Path Finder

Thanks for your response.

Point 1 - thanks that explains the behavior I am seeing.
Point 2 - OK I see where you are going and this works for me.
Point 3 - (why am I using a different index?) - the short answer is that I was working on a two different applications and I wanted to separate the data of the two apps - I would occasionally need to delete the indexed data on one of the applications and I wasn't wanting to take the hit of having to re-index all the data in such a scenario.

Now I am left scratching my head. Not knowing the info you shared in point one above, I created a separate index and the source types associated with this index DID in fact show up in the search app. I can't say I was expecting this, but I saw it and came to use when doing any investigation I needed. Then something subtle changed(obviously, I don't know what it was) and now it behaves as you describe. Normally, I would just accept that my memory is playing tricks on me, but in this case, I used it too much for that to be the case. I think the behavior I saw has something to do with the 'owner' of the index as the first time I did this the owner was the system(not sure exactly, but it was not the application in question...), then later I changed it(ownership of the index) to be the application in question.

Having said all that - its not really an issue now that I know it is behaving correctly and I will plan accordingly.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...