Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to search using Sourcetype

olavo123
Explorer
‎10-24-2014 08:24 AM

I have set up a indexer which I also use as an Search Head. I dont have a deployment server so I manually pushed (copied) the apps to the servers to configure the forwarders. The forwarders work just fine and are recognized by the Indexer. And the props as well as input apps work well. And I am able to search for the index data using:

index="test_index" sourcetype=test_sourcetype

All fields defined in props and transform file, show up correctly. These fields also show correctly: host, source and sourcetype. I can see "sourcetype=test_sourcetype" in the events. But I am unable search events using:

sourcetype=test_sourcetype

Any help will be appreciated.

Thanks

Olavo

Tags (1)
0 Karma
Reply

MartinMcNutt
Communicator
‎10-24-2014 11:03 AM

If you wish to have custom indexes searched by default you must update your Role(s) to include that index as part of the "Indexes searched by default."

  1. Settings
  2. Access controles
  3. Roles
  4. Select Role(s)
  5. Scroll down to "Indexes searched by default"
  6. Add test_index
  7. Click SAVE
Reply

jluste
Path Finder
‎10-24-2014 10:51 AM

It was my understanding that by default, the user roles only allow searches against index=main. If you wanted to default into other indexes, you'd have to update your roles per app behavior.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-24-2014 01:11 PM

Note, this is unrelated to the app but rather controlled by the user's role.

Reply

jluste
Path Finder
‎10-27-2014 12:07 PM

Yes, that's it. But I thought that this could also be set per application. Do the user roles allow per app settings? (Not an admin)

0 Karma
Reply

olavo123
Explorer
‎10-24-2014 08:57 AM

Also, I see that I cannot use the fields "host" to perform any searches. I have to use the index= " ", then only other options like "host" , etc become operational.

-Olavo

0 Karma
Reply

olavo123
Explorer
‎10-24-2014 08:26 AM

I forgot to add that : Both indexer and Forwarders are version 6.1.

Thanks

Olavo

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...