I have a universal forwarder pushing a log file from a window server into a splunk indexer in this manner.

Configuration from ->
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

[monitor://C:\temp\somelogfile.txt]
disabled=0
followtail=0
index=logger
sourcetype=txt

This pushes data from that txt file (which gets updated ONCE a day NOT rolled over) -- ONCE a day. Everything gets pushed out to the indexer correctly and all is fine and dandy EXCEPT

In the Splunk search bar
-> The search works when I enter : index="logger" - I can drilldown to the sourcetype and then show events

-> The search ALSO works when I enter : index="logger" sourcetype="txt". This shows events.

-> The search does NOT work when I ONLY enter sourcetype="txt" into the splunk search bar.

No results show up

Anybody have an idea so as to why Splunk would simply not recognize and filter by sourcetype ALONE when pushing data from universal forwarder ? I dont see any errors under /var/log/audit.log or any other log files just FYI.

For most other sourcetype/index combinations that I am familiar with, you can search by either SOURCETYPE OR INDEX -- and then drill down by the OTHER once the events start to appear.

Is it possible that I am not setting something in inputs.conf that I am supposed to when the resource being indexed does not live on the indexer itself ?

Any input would be appreciated.