Search using field value yields no results

cdo_splunk · ‎09-01-2015

I ran the search that returned no results.

index=_internal source="metrics.log" splunk_server="" group= "per_index_thruput" | eval MB=kb/1024 | chart sum(MB) by series | sort - sum(MB)

I can see there is raw data, but as soon as I added group=per_index_thruput, no results found. Somehow, it does not recognize the field “group” despite the field shows up in the left menu. I can workaround it by surrounding it with double quotes "group=per_index_thruput" which forces splunk to search on the entire string — or just use per_index_thruput.

splunkIT · ‎09-01-2015

I had a similar issue too, and it turned out that there was a fields.conf file in one of my custom apps which has the following entries:

[default]
INDEXED = true

I believe the the default should be indexed=false. Anyway, once I have deleted this un-needed fields.conf file, and restarted splunk, my fields resumed working again.

sowings · ‎09-01-2015

Which app? That should be addressed.

splunkIT · ‎09-01-2015

my custom app

Search using field value yields no results

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio