this stanza works and indexes events:
[monitor://\Njros1bva0624\c_root$\Program Files\eClarifyPM\eClarifyPM.log]
disabled = false
host = ECLARIFYLOG_HOST
alwaysOpenFile = 1
sourcetype = ECLARIFYLOG
If shutdown splunk, I clean the indexes, thenchange the above stanza to the stanza below and then restart splunk , this stanza does not result in any indexing of events:
[monitor://\Njros1bva0624\c_root$\Program Files\eClarifyPM\eClarifyPM.log]
disabled = false
host = ECLARIFYLOG_HOST
alwaysOpenFile = 1
sourcetype = ECLARIFYLOG
index=imaging]
The index, imaging, does exist.
Please advise
I think you should use search as: index=imaging .... Or you can go to Access Control->Role and add that index into your user's selected indexes. If not, try to restart again.
I think you should use search as: index=imaging .... Or you can go to Access Control->Role and add that index into your user's selected indexes. If not, try to restart again.
Now I understand your comments about user's selected indexes..you need to add it to the role's default indexes..bingo!!
Try those commands
/opt/splunk/bin/splunk stop
/opt/splunk/bin/splunk clean eventdata [imaging|main]
/opt/splunk/bin/splunk start
the problem isn't a search. it doesn't index any files when I add the index=imaging.