Solved: I get results for metadata searches, but why do I ...

ltrand · ‎06-08-2015

Hello Splunkverse,

I've recently set up a new Search Head to test 6.2.3 and it looks awesome. I do have one major issue however that I can't seem to figure out. When I do metadata searches, I can get results. When I use the new Deployment Console, everything is correct. However, when I try to do regular searches I always get 0 results, regardless of the indexes I search. Any thoughts as to what I might have missed in configuration? All indexers are on 6.1.3.

Thanks!

woodcock · ‎06-08-2015

Give us an example of a "regular search". I find it hard to believe that, if you have your peering correct, that you don't get results. Perhaps you are in the (very bad) habit of relying on "indexes searched by default" and maybe you have no data in index main. That would make searches like sourcetype=bar fail when a search like index=foo sourcetype=bar works.

View solution in original post

woodcock · ‎06-08-2015

Give us an example of a "regular search". I find it hard to believe that, if you have your peering correct, that you don't get results. Perhaps you are in the (very bad) habit of relying on "indexes searched by default" and maybe you have no data in index main. That would make searches like sourcetype=bar fail when a search like index=foo sourcetype=bar works.

ltrand · ‎06-12-2015

Thanks, I didn't realize the default admin was limited in searching!

woodcock · ‎06-08-2015

You forgot to peer your new Search Head to your existing indexers: Settings -> Distributed search -> Search peers.

ltrand · ‎06-08-2015

Thanks for the attempt. All indexers in my environment are listed as search peers for me and have a up status with successful replication.

I get results for metadata searches, but why do I get 0 search results running regular searches on my new Splunk 6.2.3 search head?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk