Getting Data In

SourceType doesn't show in Search Screen

cbauza
Engager

I've been evaluating Splunk last week: creating SourceType and uploading, indexing files. Fine.

Now I switched to the Free version and I can't see the new SourceType I'm creating from now,
The Add Data process goes smoothly, new datas shows in Manager » Data inputs » Files & directories*
But doesn't show in App > Search > Source Type
And the search returns 0 (cannot find the newly created sourceType)

Is there some functional changes in Free Version ?

Are there some logs I can look at ? (from the UI there is no error/warning msg)

Tags (2)
0 Karma

kurtus
Engager

This helped be solve it.

http://splunk-base.splunk.com/answers/33812/cannot-search-using-sourcetype-but-can-search-with-index

BUT all you need to do is make sure that the index this sourcetype is in is added to the list of indexes to search.

Otherwise you will have to do "index=* sourcetype=mysourcetype" instead of "sourcetype=mysourcetype"

It seems that changing licenses changed the perms associated with your roles...or something.

0 Karma

Masa
Splunk Employee
Splunk Employee

If there are new events comming constntly, you should try real time all window with;

index=* | stats count by sourcetype

If this does not show what you are looking for, try

index=* | stats count by source

To ckeck if the new sourcetype events were indexed, you should also see the sourcetype in splunk internal log, called metrics.log

index=_internal source=metrics.log per_sourcetype_thruput | timechart span=1h sum(kb) by series

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...