I created a new Index for syslogservers to store remote syslog messages coming in on a Data Input UDP:514;
The index name is 'syslogservers'. I've configured and stored it in the same directory as the other (default) indexes;
However when i try to run a search for events with filter source="UDP:514" the search comes back with no events.
looking a bit closer, it seems that by default, the search only looks in the main index.
i have to add index="syslogservers" to the search filter for any events to be returned.
I've tried to figure this out, but i'm still a bit green to splunk. Is there a way to tell splunk to also search the additional index?
Any assistance you can provide would be greatly appreciated.
Instance specs:
HOST: Win2k16
Splunk Enterprise V7.2.5.1
Build: 962d9a8e1586
Search & Reporting V7.2.5.1
regards
Sebastiano
... View more