Solved: simple search sourcetype=X finds events but wont d...

asmithe · ‎03-03-2014

this search: index=flowspaces sourcetype=auditlog produces search results that are not displayed in the ui.

if fields are forced, events are displayed.

asmithe · ‎03-03-2014

Argh.

I mistakenly overwrote a newer props.conf with one with a bad eval on _time.

That'll do it every time...

View solution in original post

asmithe · ‎03-03-2014

Argh.

I mistakenly overwrote a newer props.conf with one with a bad eval on _time.

That'll do it every time...

asmithe · ‎03-03-2014

The captcha wont let me edit my OP. sorry.

this search:

index=flowspaces sourcetype=auditlog

produces search results that are not displayed in the ui.

if fields are forced, events are displayed.

e.g.

index=flowspaces sourcetype=auditlog | fields extracted-field1 extracted-field2

This is a big problem for some very large search queries which rely on that sourcetype - the necessary data is available but not showing up in the searches and makes all saved searches useless.

simple search sourcetype=X finds events but wont display them - unless field is forced

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms