Splunk Search

Not able to search with some fields

vishaltaneja070
Motivator

Hello All
I am not sure, why i am not able to use search like

host=*

but if i search like

index=* host=* 

then it will work.

Not sure why. I need to use more fields to start searching but some are working some are not.

0 Karma

DavidHourani
Super Champion

Hi @vishaltaneja07011993,

This is because running host=* is the equivalent of running index="your user's role default searched indexes" host=* .

If your requirement is that index=* host=* and host=* give you the same results then you need to add all your indexes to the list of indexes searched by default for your role.

To do so you can change this under Settings » Access controls » Roles » Your Role » Default indexes

Let me know if that helps.

Cheers,
David

0 Karma

vishaltaneja070
Motivator

Hello @DavidHourani

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

0 Karma

DavidHourani
Super Champion

In the role you have two configs : Indexes searched by defaultand Indexesare they both set to All non Internal indexes ?

0 Karma

vishaltaneja070
Motivator

Hello @davidhourani

yes
For Indexes searched by default

it is having All Non Internal indexes
& for indexes search one has both All Non Internal Indexes & All Internal Indexes

0 Karma

DavidHourani
Super Champion

you have the same when running a search with sourcetype=* instead of host=* ?

0 Karma

vishaltaneja070
Motivator

No with sourcetype=* it is working good.

0 Karma

DavidHourani
Super Champion

could be a bug then... it's weird...long shot but try something like host="*" maybe it has something to do with the format..

0 Karma

vishaltaneja070
Motivator

Nope . No luck

0 Karma

niketn
Legend

@vishaltaneja07011993 You can use Access Control in Splunk to define some default index which can be search by your user role without defining the index= in the search query.

Refer to documentation: https://docs.splunk.com/Documentation/Splunk/latest/Security/Addandeditroles#Add_or_edit_a_role

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vishaltaneja070
Motivator

Hello @niketnilay

Nope it is not like that, in the roles i have mentioned by default access to All non Internal indexes
But still it is not running

So some other issue it is.

0 Karma

niketn
Legend

@vishaltaneja07011993 I am not sure why that is not working. If proper access has been provisioned this should work out of the box. You should raise a Splunk Support case to have them look into configuration issue.

What are the indexes that show up when you run the following query?

| tstats count where index=* by index
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

vishaltaneja070
Motivator

It is giving mostly all the indexes

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...