Recently, I have made changes to my Splunk environment where I created new indexes and assigned multiple data sources to their respective indexes. However, once I index a single data source, that information no longer shows up on the Summary page. i.e. the message, "Waiting for data" appears in the Sources window.
Thoughts?
The default view for the Search app summary page is only going to show data from the main index. If you want to see other sources you'll need to add that index as a default for the role of the user you are logging in as. Then you'll see the sources by default instead of having to type in index="whatever".
The default view for the Search app summary page is only going to show data from the main index. If you want to see other sources you'll need to add that index as a default for the role of the user you are logging in as. Then you'll see the sources by default instead of having to type in index="whatever".
I got it, Splunk --> Manager --> Access Controls --> Admin
You can do either but throught the app is probably easiest. Look up the user to see what role they have. Then Manager -> Access Controls -> Roles. Then you'll see a box for 'Indexes searched by default'. Remember this change will apply to all users of that Role.
would a .conf file need to be changed or a setting w/in the app?