I recive some hosts from firewalls/Wireless controllers and they show up when you search for *. Recently i have some events from a apache webserver. I used this guide. http://danielmiessler.com/blog/howto-use-splunk-as-your-remote-syslog-server
And i have setup syslog-ng to filter the events and put them in a folder upon arrival
like this http://answers.splunk.com/questions/8912/syslog-ng-filter-by-ip
The events appers as expected in the folder and you se them if you search for exampel
source="/opt/splunk/var/log/syslog-ng/192.168.1.5/messages" but i would like them to appear when you search for *.
Any ideas what to look for?
Your timestamps are probably incorrect, possibly due to TZ issues. Run this search and make sure that avg(lagSeconds)
is small and >0:
index=* | eval lagSeconds=_index_time - _time | stats avg(lagSeconds) by sourcetype,host,index
Are your timestamps correct? A real time search won't display events if timestamps are incorrect.