I found the search contradiction between "index=* host=splkc" and "host=splkc".
Though the former search find some results, the later is not.
Why ?
Following environment.
Splunk version : 5.02
Operating System : Windows Server 2008 R2 64bit
Data : WMI Polling Data
If there is no index term in your search, then Splunk will search the indexes that are listed as the default indexes for your role. You can see this list by going to Manager > Authentication > Roles.
Since by default users just have index="main"
in that list, then what's happening in the first screenshot is it's only searching index="main"
, and there are no events from that host there.
In the second screenshot you've searched for index="*"
. this tells splunkd that you'd like to search all of the indexes that you have permission to search, and in an index called "wmi_performancelog", there are some events from that host.
It's a little confusing that the absence of an index term is actually a more restrictive search than index=*, but that's what's happening here.
If there is no index term in your search, then Splunk will search the indexes that are listed as the default indexes for your role. You can see this list by going to Manager > Authentication > Roles.
Since by default users just have index="main"
in that list, then what's happening in the first screenshot is it's only searching index="main"
, and there are no events from that host there.
In the second screenshot you've searched for index="*"
. this tells splunkd that you'd like to search all of the indexes that you have permission to search, and in an index called "wmi_performancelog", there are some events from that host.
It's a little confusing that the absence of an index term is actually a more restrictive search than index=*, but that's what's happening here.
Thank you sideview for quick response and explanation.