I have an index in Splunk enterprise named "my_index". When I search for data using index="my_index" for the last 24 hours I get all results I want. I have some custom tags\fields for instance branch, version, product etc that I want to filter on.
When I click on the branch from the events viewer and click add to search no results are found, even though they were there in the previous results returned for the same time period. Similarly when I type into the search bar and select the autocomplete for the branch I want nothing is returned.
What is the reason this is happening?
Searching index="my_index" in the last 24hrs returns results including branch="mybranch-1-2" but searching for index="my_index" branch="mybranch-1-2" for the last 24hrs returns no results found.
... View more