Splunk Search

Events for sourcetype not visible

srobbins123
Engager

We've done the following so far.

  • Setup a new App through the webui
  • Setup a new index through the webui with the same name as the app
  • Configured a new sourcetype in props.conf and restarted splunk
  • Configured the inputs.conf on a new forwarder to send all alerts to the new index
  • Started up the forwarder and configured it to send events from a file to splunk server specifying the new sourcetype

We're not able to see the events from the search app. I've checked and the index contains the correct number of events. So it looks like the events are being stored but are then not visible. Any ideas what I'm doing wrong?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

By default, the normal user roles (admin, power, user) only search the main (aka default) index. In fact, the role that you are using might not have permissions to see the new index. In the UI, go to Manager >> Access Controls and edit the role. Be sure to add this index to both the default list of indexes as well as the allowed list of indexes.

If you don't want to add the new index to the default list of indexes searched, you can add

index=xxxx

to your searches to search it explicitly.

HTH!

View solution in original post

lguinn2
Legend

BTW, people do this all the time. I do this all the time!

0 Karma

lguinn2
Legend

By default, the normal user roles (admin, power, user) only search the main (aka default) index. In fact, the role that you are using might not have permissions to see the new index. In the UI, go to Manager >> Access Controls and edit the role. Be sure to add this index to both the default list of indexes as well as the allowed list of indexes.

If you don't want to add the new index to the default list of indexes searched, you can add

index=xxxx

to your searches to search it explicitly.

HTH!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...