I'm facing an issue which I'm simply unable to understand
I ran a search, simply by specifying the index I want to search in like this:
index=my_index
After this, I selected one of the values which were displayed in the top 10 for the sourcetype field, and added it to my search, so I had:
index=my_index sourcetype=my:sourcetype
And then, I got 0 results. I haven't changed the time picker or anything else, and I'm unable to understand why I'm not getting any results. Checking with the metadata command, I have thousands of events with this sourcetype in the index, and Splunk is displaying this sourcetype in the values of the field, but for some reason I can't run a search for it.
Edit:
When I'm not narrowing my search with that filer, I see the events with that particular sourcetype
Edit2:
Searching with:
index=my_index sourcetype=*
is not yielding any events with this problematic sourcetype.
The sourcetype itself if set by props.conf, could this cause any issues?
Check with your Splunk admin. It is possible to restrict access to specific sourcetypes
Maybe, add double quotes around source type.
index=my_index sourcetype="my:sourcetype"
Yes, when I clicked the value from the list, it automatically added, it didn't work either
Simply when you search for
sourcetype=my:sourcetype
what it returns