Hello,
When I try to sample data for the WinEventLog sourcetype in Ingest Actions I get an error message: "No results found. Try expanding the time range."
Expanding the query I see Splunk using the following and manually running this query does not return any results either:
index=* OR index=_* sourcetype="WinEventLog"
| where sourcetype="WinEventLog"
| head 100
However, I do get results when I manually run either:
index=* OR index=_*
| where sourcetype="WinEventLog"
| head 100
OR
index=* OR index=_* sourcetype="WinEventLog"
| head 100
Can someone please explain why the first query may not be working? Is there a different way I should be working with the WinEventLog sourcetype in Ingest Actions? Thanks in advance for your help!
... View more