https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219320#M23760 <P>I have installed forwarder to a new Windows machine with default settings (with installed Splunk Add-on for Microsoft Windows and enabled WinEventLogs: system, security and Application). I see in Splunk (with installed Splunk Add-on for Microsoft Windows 4.8.0) that data is arrives, but I can't find any events in search with this host and even this host in hosts list. Even if I manually add settings to <EM>C:_Program Files_SplunkUniversalForwarder_etc_system_local_inputs.conf</EM> </P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = newest index = wineventlog </CODE></PRE> <P>Splunk v.6.3.0</P> Tue, 29 Sep 2020 07:49:02 GMT DimkoBilanko 2020-09-29T07:49:02Z https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219320#M23760 <P>I have installed forwarder to a new Windows machine with default settings (with installed Splunk Add-on for Microsoft Windows and enabled WinEventLogs: system, security and Application). I see in Splunk (with installed Splunk Add-on for Microsoft Windows 4.8.0) that data is arrives, but I can't find any events in search with this host and even this host in hosts list. Even if I manually add settings to <EM>C:_Program Files_SplunkUniversalForwarder_etc_system_local_inputs.conf</EM> </P> <PRE><CODE>[WinEventLog://Security] disabled = 0 start_from = newest index = wineventlog </CODE></PRE> <P>Splunk v.6.3.0</P> Tue, 29 Sep 2020 07:49:02 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219320#M23760 DimkoBilanko 2020-09-29T07:49:02Z https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219321#M23761 <P>The most common reason for your problem is: you aren't looking in the right index. People often forget (I know I do) that your role might not automatically search a new index by default. And if it doesn't, the data <STRONG>won't</STRONG> show up in the data summary. The data summary only looks at indexes the user is allowed to search by defautlt. So try</P> <PRE><CODE>index=* host=yourhostname </CODE></PRE> <P>and see what you get!</P> Thu, 05 Nov 2015 20:11:01 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219321#M23761 lguinn2 2015-11-05T20:11:01Z https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219322#M23762 <P>Thanks Iguinn! But I thought, for me as builtin admin (with admin role) should be available all indexes by default.</P> Fri, 06 Nov 2015 14:22:25 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219322#M23762 DimkoBilanko 2015-11-06T14:22:25Z https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219323#M23763 <P>That is not the default for the admin role!</P> Fri, 06 Nov 2015 16:23:13 GMT https://community.splunk.com/t5/Deployment-Architecture/Why-I-m-not-see-new-host-from-added-Universal-Forwarder/m-p/219323#M23763 lguinn2 2015-11-06T16:23:13Z