topic Re: Can't search in Splunk Search

Can't search

wiz561 — Sat, 16 May 2015 22:43:19 GMT

I am just getting started with Splunk at home on Ubuntu. I'm gathering logs from my pfsense firewall and I can see that there are indexed events. When trying to search for something, the search box gets disabled and a little "do not enter" or "no" sign shows up where the cursor is. No results are returned.

I'm just typing in host="10.0.110.1" in the search field.

I'm assuming that there isn't something running that needs to be. I did switch the license from enterprise trial to the free 500meg/day license.

Re: Can't search

woodcock — Tue, 19 May 2015 14:48:23 GMT

You (probably) need to specify an index; try this:

index=* OR index=_* host="10.0.110.1"

Re: Can't search

wiz561 — Tue, 19 May 2015 15:59:26 GMT

Thanks for the response. I think the problem lies deeper than this. I installed the *nix app and can sucessfully gather information from the local box. Even though Splunk says it is receiving information, I don't think it's making it searchable for some reason.

Re: Can't search

woodcock — Tue, 19 May 2015 16:02:56 GMT

See what Splunk is complaining about with this search:

index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count

Re: Can't search

amiracle — Tue, 30 Jun 2015 16:32:24 GMT

Did you add the os index and any other custom index to the Search Index by default. In the Web UI (Settings -> Access Controls -> Roles -> Admin -> scroll down to 'Indexes searched by default' and add the indexes you want to search by default. I hope that helps.