We currently use HUNK and have a virtual index to search a MapRFS. When I run the search I can clearly see that source kpis are created showing where the file is. When I click on it and choose Add to Search, it doesn't find any results - which makes no sense at all.
Anyone else seen this behavior?
At least based on my test, using ' source ' worked as expected. It tried these two options:
index=avrodata source="/user/root/data/Avro/20150625/x/20150625.avro" | stats count
and
index=avrodata | stats count by source
This still does not work for me. I will search index=mapr | stats count in Verbose mode, then click on one of the hosts to add it to the search so I know its there and it produces a search query like:
index=mapr source="abc/xyz.log | stats count
But now no results are returned.
Hi. I just tested in 2 different Spunk environments: Splunk 6.6.4 and 6.6.8.
In both cases I could search for
index=foo sourcetype=bar
OR
index=* sourcetype=bar
And I did get records.
I suggest you do your search that gets data and try
index=foo | stats count by sourcetype
Just to confirm.. And also share your configs. Do you have the stanza in props.conf that is something like
[source::/path/to/hdfs/...]
priority = 123
sourcetype = bar
I am trying to search by SOURCE
not SOURCETYPE