Why is my search returning no events after data en...

jip31 · ‎09-04-2018

Hello

I have done a data entry in Splunk for the log event below :

[WinEventLog://Microsoft-Windows-PowerCfg/Diagnostic]
checkpointInterval = 5
current_only = 0
disabled = 0
index = windows
start_from = oldest

But when I'm doing a search on this sourcetype, i have no events
I think its because these event logs don't exist in the event viewer?
if its the case is anybody knows how to create it?
thanks

woodcock · ‎09-14-2018

If there are no events in the Windows Event Viewer on that server, then you are correct: there is nothing to be sent to Splunk so you will not have any events to search.

inventsekar · ‎09-04-2018

from this host, do you have other logfiles being sent to Splunk?!?! are they reaching splunk indexer properly?!?!
after added the inputs.conf on that windows system, did you do splunk service restart?!?!

jip31 · ‎09-04-2018

yes for all your questions....

adonio · ‎09-04-2018

try to put index=windows or index=* before your search

jip31 · ‎09-04-2018

I done it but no events....

adonio · ‎09-08-2018

ok. please start here:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Troubleshooting/Cantfinddata
read all the way through.

Why is my search returning no events after data entry?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms