Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to search using Sourcetype

olavo123
Explorer
‎10-24-2014 08:24 AM

I have set up a indexer which I also use as an Search Head. I dont have a deployment server so I manually pushed (copied) the apps to the servers to configure the forwarders. The forwarders work just fine and are recognized by the Indexer. And the props as well as input apps work well. And I am able to search for the index data using:

index="test_index" sourcetype=test_sourcetype

All fields defined in props and transform file, show up correctly. These fields also show correctly: host, source and sourcetype. I can see "sourcetype=test_sourcetype" in the events. But I am unable search events using:

sourcetype=test_sourcetype

Any help will be appreciated.

Thanks

Olavo

Tags (1)
0 Karma
Reply

MartinMcNutt
Communicator
‎10-24-2014 11:03 AM

If you wish to have custom indexes searched by default you must update your Role(s) to include that index as part of the "Indexes searched by default."

  1. Settings
  2. Access controles
  3. Roles
  4. Select Role(s)
  5. Scroll down to "Indexes searched by default"
  6. Add test_index
  7. Click SAVE
Reply

jluste
Path Finder
‎10-24-2014 10:51 AM

It was my understanding that by default, the user roles only allow searches against index=main. If you wanted to default into other indexes, you'd have to update your roles per app behavior.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎10-24-2014 01:11 PM

Note, this is unrelated to the app but rather controlled by the user's role.

Reply

jluste
Path Finder
‎10-27-2014 12:07 PM

Yes, that's it. But I thought that this could also be set per application. Do the user roles allow per app settings? (Not an admin)

0 Karma
Reply

olavo123
Explorer
‎10-24-2014 08:57 AM

Also, I see that I cannot use the fields "host" to perform any searches. I have to use the index= " ", then only other options like "host" , etc become operational.

-Olavo

0 Karma
Reply

olavo123
Explorer
‎10-24-2014 08:26 AM

I forgot to add that : Both indexer and Forwarders are version 6.1.

Thanks

Olavo

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...