I'm facing an issue which I'm simply unable to understand
I ran a search, simply by specifying the index I want to search in like this:
index=my_index
After this, I selected one of the values which were displayed in the top 10 for the sourcetype field, and added it to my search, so I had:
index=my_index sourcetype=my:sourcetype
And then, I got 0 results. I haven't changed the time picker or anything else, and I'm unable to understand why I'm not getting any results. Checking with the metadata command, I have thousands of events with this sourcetype in the index, and Splunk is displaying this sourcetype in the values of the field, but for some reason I can't run a search for it.
Edit:
When I'm not narrowing my search with that filer, I see the events with that particular sourcetype
Edit2:
Searching with:
index=my_index sourcetype=*
is not yielding any events with this problematic sourcetype.
The sourcetype itself if set by props.conf, could this cause any issues?
↧