I'm new to Splunk - as in this morning - but have been shown around it a few times. I've just downloaded the free version and installed everything fine. I have setup an indexer, and started adding data from a folder location.
The summary shows all of the files in the directory and has found the two sources which I wanted to see which is great.
Under Source Types I have a source DataNormalisation
and its Last Update time is "Tue Mar 27 09:32:33 2012". When I click it and go for Last 7 Days the last message is from the 23rd. If I look in the file the last message is today - because the service is running now and logging now.
What am I doing wrong?
Head/Tail issue?
Please see the following three images in order as a proof...
See on Page 2 the last message is on 26th...
Problem seems to be related to Index. I was using a new Index which I had made, when I just tried using the main Index it started straight away.
Is this a limitation of the free version?
Problem seems to be related to Index. I was using a new Index which I had made, when I just tried using the main Index it started straight away.
Is this a limitation of the free version?
By default Splunk will search and the search app references the main index. If you search index=YOURINDEX
it should return all your events