I am not sure if anyone else has seen this issue, but at least 3 times lately I have done a broad search on an IP, in our Splunk instance of 4.3.1, and have gotten at least 3 sourcetypes - this particular one being our Cisco ASA, DHCP, and web filter. However, when re-running the search 4 or 5 or 6 hours later the Cisco ASA sourcetype no longer shows up in the results.
Is anyone aware of this specific issue? Or where can I start to troubleshoot this? Within the SOS app, the Cisco ASA index is showing its receiving events and is current. And I can do a search on the Cisco ASA sourcetype.
Our Splunk instance is made up of 4 servers: a search head and 3 indexers. Would it make sense to login to the indexer receiver the Cisco events and check there?
... View more