Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Contradiction of search result ?

sunrise
Contributor
‎03-30-2013 09:29 PM

I found the search contradiction between "index=* host=splkc" and "host=splkc".
Though the former search find some results, the later is not.
Why ?
alt text

alt text

Following environment.
Splunk version : 5.02
Operating System : Windows Server 2008 R2 64bit
Data : WMI Polling Data

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-30-2013 10:49 PM

If there is no index term in your search, then Splunk will search the indexes that are listed as the default indexes for your role. You can see this list by going to Manager > Authentication > Roles.

Since by default users just have index="main" in that list, then what's happening in the first screenshot is it's only searching index="main", and there are no events from that host there.

In the second screenshot you've searched for index="*". this tells splunkd that you'd like to search all of the indexes that you have permission to search, and in an index called "wmi_performancelog", there are some events from that host.

It's a little confusing that the absence of an index term is actually a more restrictive search than index=*, but that's what's happening here.

View solution in original post

Reply
Solved! Jump to solution
Solution

sideview
SplunkTrust
SplunkTrust
‎03-30-2013 10:49 PM

If there is no index term in your search, then Splunk will search the indexes that are listed as the default indexes for your role. You can see this list by going to Manager > Authentication > Roles.

Since by default users just have index="main" in that list, then what's happening in the first screenshot is it's only searching index="main", and there are no events from that host there.

In the second screenshot you've searched for index="*". this tells splunkd that you'd like to search all of the indexes that you have permission to search, and in an index called "wmi_performancelog", there are some events from that host.

It's a little confusing that the absence of an index term is actually a more restrictive search than index=*, but that's what's happening here.

Reply
Solved! Jump to solution

sunrise
Contributor
‎03-31-2013 03:27 AM

Thank you sideview for quick response and explanation.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...