Hi
I have a big big problem. I restored a csv based index. (MS Exchange mail track log)
The restored data is big, over 100GB.
When I'm starting a search specified by fields or "*data*"
the search does not find anything. (The search process is very fast)
I'm exported some restored data, and I executed an grep command on it and found what I'm looking for.
Any idea, why I can't search in Splunk via fields or wildcard?
Regards
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
On left side at field list i can see the total unique fields count and the top 10 fields value.
I try to select one field value from field list, but the result is the same. No results, but is it in the index.
I can't understand why not works.
There isn't any stanza problem, my search was running in verbose mode.
So switch back to verbose mode, I assume you're in fast
mode now.
Read the docs http://docs.splunk.com/Documentation/Splunk/6.2.6/Search/Changethesearchmode to learn more about the search modes.
just to clarify, you can see the data in splunk looking only at the index, right? if so:
There isn't any stanza problem, my search was running in verbose mode.
When i click to an event i can see the correct fields.
When i use a field in search, the process ends very fast without result.