Events for sourcetype not visible

Question

We've done the following so far.

Setup a new App through the webui
Setup a new index through the webui with the same name as the app
Configured a new sourcetype in props.conf and restarted splunk
Configured the inputs.conf on a new forwarder to send all alerts to the new index
Started up the forwarder and configured it to send events from a file to splunk server specifying the new sourcetype

We're not able to see the events from the search app. I've checked and the index contains the correct number of events. So it looks like the events are being stored but are then not visible. Any ideas what I'm doing wrong?

Accepted Answer

By default, the normal user roles (admin, power, user) only search the main (aka default) index. In fact, the role that you are using might not have permissions to see the new index. In the UI, go to Manager >> Access Controls and edit the role. Be sure to add this index to both the default list of indexes as well as the allowed list of indexes.

If you don't want to add the new index to the default list of indexes searched, you can add

index=xxxx

to your searches to search it explicitly.

HTH!

Events for sourcetype not visible

Follow this question

Splunk Resources

Related questions