Hello, i need help.
I have Splunk 6.2
It's sending data using a universal forwarder.
But on the server, I can only search by index=
And also if i go the Search & Reporting app, I see:
What to Search
Waiting for data...
And nothing... If I open Data Summary - it's empty
What do I do?
Thank you!
Once again understood myself.
The problem was in the rights of users.
Hi
Just to Add to answer above. I too ran into the same issue. Splunk has done a few tweaks with the new version 6.2 and if you do not specify the index, the data cannot be searched successfully. hence to allow searching via sourcetype or etc.
Go to
1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and select the indexes you want to be included in your searches by default
This should work now.
Cheers
Hello, Cheers.
Thank you for your answer.
I will add - if you have more indexes or they will be added you can add the following settings:
1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and "Indexes" and select parameter "all non-internal indexes"
Sergey
Once again understood myself.
The problem was in the rights of users.