Why can't I search by Source using HUNK?

EricLloyd79 · ‎06-28-2018

We currently use HUNK and have a virtual index to search a MapRFS. When I run the search I can clearly see that source kpis are created showing where the file is. When I click on it and choose Add to Search, it doesn't find any results - which makes no sense at all.

Anyone else seen this behavior?

rdagan_splunk · ‎07-02-2018

At least based on my test, using ' source ' worked as expected. It tried these two options:
index=avrodata source="/user/root/data/Avro/20150625/x/20150625.avro" | stats count
and
index=avrodata | stats count by source

EricLloyd79 · ‎08-01-2018

This still does not work for me. I will search index=mapr | stats count in Verbose mode, then click on one of the hosts to add it to the search so I know its there and it produces a search query like:
index=mapr source="abc/xyz.log | stats count
But now no results are returned.

burwell · ‎06-29-2018

Hi. I just tested in 2 different Spunk environments: Splunk 6.6.4 and 6.6.8.

In both cases I could search for

index=foo sourcetype=bar

OR

index=* sourcetype=bar

And I did get records.

I suggest you do your search that gets data and try

  index=foo | stats count by sourcetype

Just to confirm.. And also share your configs. Do you have the stanza in props.conf that is something like

[source::/path/to/hdfs/...]
priority          = 123
sourcetype        = bar

EricLloyd79 · ‎06-29-2018

I am trying to search by SOURCE
not SOURCETYPE

Why can't I search by Source using HUNK?

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!