For 2 of my sourcetypes, entering index=my_index sourcetype=my_sourcetype shows all data but if I try to search by sourcetype=my_sourcetype there is no data. Worse, when I got to search&reporting and look through the available sourcetypes, one of them isn't even in there, the other one just shows 2 records (there are thousands when paired with index=my_index.
I saw the answer for
http://answers.splunk.com/answers/173380/why-does-my-sourcetype-search-return-no-results-bu.html?utm...
but I'm either not understanding the solution or it doesn't work for my environment, I went into access controls\roles and added the two indexes in question to my default search but there was no effect.
Your other searches had results without having to specify an index because the other indices are included in your role
’s Indexes searched by default
setting, but the new index my_index
is not. This problem is the result of a very common but VERY bad habit. A user-level best-practice is to always be as specific about your search query as possible and, to that end, always include index=
and sourcetype=
directives. What is worse than a no-results situation is a wrong-results one where you get one set of results but your boss gets a different set (because you are not in the same role and do not have the same Indexes searched by default
setting). There are 2 ways to preclude this problem. You can change this setting to All non-internal indexes
so that every new index is automatically included in non-index-specific searches without any extra administration. The better way is to set it to nothing (empty) thus forcing users to be habitually index-specific!
Go to Settings
-> Access controls
-> Users
and find your user
: make note of the roles
you have and then go to Settings
-> Access controls
-> Roles
and inspect the various Indexes searched by default
values for your role
and note that none of them is set to All non-internal indexes
and none of them has my_index
. Create a new role
called search_all_indexes_by_default
that has All non-internal indexes
for the Indexes searched by default
and add this new role
to your user
, or better yet, to the user
role so it will apply to all users.
Your other searches had results without having to specify an index because the other indices are included in your role
’s Indexes searched by default
setting, but the new index my_index
is not. This problem is the result of a very common but VERY bad habit. A user-level best-practice is to always be as specific about your search query as possible and, to that end, always include index=
and sourcetype=
directives. What is worse than a no-results situation is a wrong-results one where you get one set of results but your boss gets a different set (because you are not in the same role and do not have the same Indexes searched by default
setting). There are 2 ways to preclude this problem. You can change this setting to All non-internal indexes
so that every new index is automatically included in non-index-specific searches without any extra administration. The better way is to set it to nothing (empty) thus forcing users to be habitually index-specific!
Go to Settings
-> Access controls
-> Users
and find your user
: make note of the roles
you have and then go to Settings
-> Access controls
-> Roles
and inspect the various Indexes searched by default
values for your role
and note that none of them is set to All non-internal indexes
and none of them has my_index
. Create a new role
called search_all_indexes_by_default
that has All non-internal indexes
for the Indexes searched by default
and add this new role
to your user
, or better yet, to the user
role so it will apply to all users.
Great, thank you!
Yes, it's a bad habit but it's a very convenient bad habit.
If I can't be a reformer, I guess I will settle for being a corrective enabler; don't forget to "Accept".