Hello,
i just uploaded a txt file with some logs, through GUI Add data ->upload.
Data is indexed, and I can search it by typing
index = test
I can see that all metafields like source and sourcetype has been assigneged according to my settings, but....
when i search for
source = my_source
or
sourcetype = mylogfile.txt
i get zero results.....
I know that no stanzas are generated in inputs.conf when you upload a file, but is it normal behaviour in case of uploading files?
When index
is not specified in a search, Splunk will only search the default index(es) defined for your role. Often, that is just 'main'. If you search for index=test sourcetype=mylogfile.txt
you should get results.
When index
is not specified in a search, Splunk will only search the default index(es) defined for your role. Often, that is just 'main'. If you search for index=test sourcetype=mylogfile.txt
you should get results.
@danielwysockiarrow,
While you are uploading the file, if you have selected upload instead of monitor splunk does not need to add an entry to the inputs.conf because it doesn't need to monitor a file. For the search with sourcetype and source, do you have the role capabilities Indexes searched by default
to All non-internal indexes
?
I've selected upload and also oneshot command, both ways do not let me search by source or sourcetype.
As for the role capabilities, I had Indexes searched by default set to main only.
That was it! Thank you sir!