Among other things, I have the Enterprise Security and Splunk_TA_ipfix apps installed and am successfully indexing IPFIX data (into the index named "ipfix"). From the search app, when I dump the index with the search command: "index=ipfix" I can see the data and the interesting fields are parsed out like I expect. When I do the same search in the Enteprise Sec app, the events show but none of the fields show on the left side. I'll guess this is a permissions issue, but looked at all of the places I could think of and everything looks like I think it should.
Can somebody explain what I'm missing to make this work?
I'll answer my own question...
I missed doing a necessary splunk restart. Once I did that, it worked as expected.
I'll answer my own question...
I missed doing a necessary splunk restart. Once I did that, it worked as expected.
@miked531, sometimes these small misses eat our head. I am glad you found your answer. Please go ahead and mark Accept this as answered.