Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After restoring a CSV based index, why are searches using fields or wildcards not returning results?

szaboszilard
Path Finder
‎08-14-2015 01:06 AM

Hi

I have a big big problem. I restored a csv based index. (MS Exchange mail track log)
The restored data is big, over 100GB.

When I'm starting a search specified by fields or "*data*" the search does not find anything. (The search process is very fast)
I'm exported some restored data, and I executed an grep command on it and found what I'm looking for.

Any idea, why I can't search in Splunk via fields or wildcard?

Regards

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:20 PM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-21-2015 02:20 PM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false
Reply
Solved! Jump to solution

szaboszilard
Path Finder
‎09-16-2015 06:57 AM

On left side at field list i can see the total unique fields count and the top 10 fields value.
I try to select one field value from field list, but the result is the same. No results, but is it in the index.

I can't understand why not works.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎09-21-2015 01:36 PM

There isn't any stanza problem, my search was running in verbose mode. So switch back to verbose mode, I assume you're in fast mode now.

Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.6/Search/Changethesearchmode to learn more about the search modes.

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-14-2015 03:11 AM

just to clarify, you can see the data in splunk looking only at the index, right? if so:

  • check if you are searching using smart or verbose mode while searching.
  • check if you have the props stanza for the sourcetype assigned to the events. (run this ./splunk btool props list --debug)
------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

szaboszilard
Path Finder
‎09-16-2015 06:35 AM

There isn't any stanza problem, my search was running in verbose mode.
When i click to an event i can see the correct fields.
When i use a field in search, the process ends very fast without result.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...