Hi everybody.
After migrating splunk from one node to another I started having problems with eventtypes and subsearch.
We have migrated everything. From apps to users. With the related authorizations.
Now when I run a search with a simple eventtype (Eventtype "example" ---> index = linux sourcetype = suse) the search does not return any results. If you manually specify the index before the eventtype then the search works and returns results (index=linux eventtype="example").
It seems like it's a problem of access to the indexes. As specifying it the eventtype works. If he has to access it only through the eventtype he can not.
I checked the various permissions and executed the eventtype from the app search. Nothing.
if I add this index at the "Indices included by default in the search" the eventtype works.
I also noticed that subsearch does not work. The subsearch does not work in a dashboard moved from the old node to the new one. But if I run it like simple search it works perfectly. The search is correct because the on the old node works. Even here it seems a problem of authorizations. I checked them and it looks like everything it's ok.
I think something happened during the migration. Although everything has been recreated in the same way.
Splunk now is at 7.0.0.
Thank you.
EDIT:
I noticed that if instead of using an index created by the Master Node (Indexers are clustered) I use an index created locally on one of the two nodes eventtypes work properly.
They can not operate only on the indices created by the Master Node.
... View more