Splunk Search

After restoring a CSV based index, why are searches using fields or wildcards not returning results?

szaboszilard
Path Finder

Hi

I have a big big problem. I restored a csv based index. (MS Exchange mail track log)
The restored data is big, over 100GB.

When I'm starting a search specified by fields or "*data*" the search does not find anything. (The search process is very fast)
I'm exported some restored data, and I executed an grep command on it and found what I'm looking for.

Any idea, why I can't search in Splunk via fields or wildcard?

Regards

0 Karma
1 Solution

woodcock
Esteemed Legend

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

woodcock
Esteemed Legend

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

szaboszilard
Path Finder

On left side at field list i can see the total unique fields count and the top 10 fields value.
I try to select one field value from field list, but the result is the same. No results, but is it in the index.

I can't understand why not works.

0 Karma

MuS
SplunkTrust
SplunkTrust

There isn't any stanza problem, my search was running in verbose mode. So switch back to verbose mode, I assume you're in fast mode now.

Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.6/Search/Changethesearchmode to learn more about the search modes.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

just to clarify, you can see the data in splunk looking only at the index, right? if so:

  • check if you are searching using smart or verbose mode while searching.
  • check if you have the props stanza for the sourcetype assigned to the events. (run this ./splunk btool props list --debug)
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

szaboszilard
Path Finder

There isn't any stanza problem, my search was running in verbose mode.
When i click to an event i can see the correct fields.
When i use a field in search, the process ends very fast without result.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...