Hi,
I have a universal forwarder forwarding some log files to a Splunk index instance. I created a sourcetype for these log files. Now in the default search app, I can see the logs when I type "sourcetype=xxx". But the same sourcetype is not available in the Splunk app I created.
Is all sourcetypes visable to all Splunk apps? If not, where can I configure the permissions?
Thanks.
See the responses here:
http://answers.splunk.com/answers/110479/cant-access-data-from-non-main-index-using-custom-app-sidev...
Basically, visibility at the sourcetype (and index) level is defined by the logged-in user's role, not by the application itself.