https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167612#M33934 <P>Ok I got it I think. <BR /> I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line <BR /> srchIndexesDefault = main;os <BR /> to <BR /> srchIndexesDefault = wineventlog;main;os <BR /> for admin user. <BR /> After restart everything worked as it should.<BR /> I think there might be a bug in Windows Add-On not configuring correctly.</P> Sun, 21 Jun 2015 14:03:16 GMT thejohn 2015-06-21T14:03:16Z https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167608#M33930 <P>I had to reinstall my universal forwarder on windows server and splunk stopped showing new messages. So deleted all messages of this host then I cleaned wineventlog index then reinstalled UF again because I thought that might force it. Now I don't see my server in hosts and all EventLog source types disappeared but when I search "index=wineventlog" I can see all new messages.</P> <P>How can I re-add the server to hosts and how to old source types?</P> <P>This is splunk light btw.</P> Fri, 19 Jun 2015 15:20:24 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167608#M33930 thejohn 2015-06-19T15:20:24Z https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167609#M33931 <P>I restored splunk to snapshot just after install and repeated the installation of UF multiple times. First I specified only receiving server and again all logs went to wineventlog index but are not shown anywhere. Second I tried configuring UF as deployment client and server does not receive any messages. I am totally lost... </P> Sat, 20 Jun 2015 00:11:08 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167609#M33931 thejohn 2015-06-20T00:11:08Z https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167610#M33932 <P>I am having the same issue here too... all my linux host are showing. WinSrv 2012 showing but now win7.</P> Sat, 20 Jun 2015 00:44:57 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167610#M33932 pierre31 2015-06-20T00:44:57Z https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167611#M33933 <P>Ok so I think I know what the problem is. By default splunk searches only main index I think. Windows Add-On uses wineventlog which is not searched. I set it up again so forwarder forwards to main index instead of wineventlog and success, the host and sourcetypes were shown. So now the question is how do I configure splunk light to also search wineventlog index. If you use splunk enterprise I think you just need to set up roles so that it is visible by your user. Don't know how to do this on light yet...</P> <P>edit:<BR /> Also when I configured UF as deployment client I thought it will forward messages on its own, but it turns out you still need to add receiving server.</P> Sun, 21 Jun 2015 13:26:13 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167611#M33933 thejohn 2015-06-21T13:26:13Z https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167612#M33934 <P>Ok I got it I think. <BR /> I copied authorize.conf from /etc/system/default to /etc/system/local on splunk light server and changed this line <BR /> srchIndexesDefault = main;os <BR /> to <BR /> srchIndexesDefault = wineventlog;main;os <BR /> for admin user. <BR /> After restart everything worked as it should.<BR /> I think there might be a bug in Windows Add-On not configuring correctly.</P> Sun, 21 Jun 2015 14:03:16 GMT https://community.splunk.com/t5/Getting-Data-In/Windows-host-and-source-types-not-shown-in-search/m-p/167612#M33934 thejohn 2015-06-21T14:03:16Z