We have distributed splunk environment. I am using Splunk_TA_windows on universal forwarders to send security event logs to Heavy forwarder and then to indexer. I can see that data is being sent to Indexer since i could see size of index growing, however on my search head I could not see this data. Indexer has been added as a search peer on my Search Head.
What could be the possible issue?
Thanks in Advance
Shubham
Check if you can see any other logs on the search head? can you search internal logs? index=_internal - this will ensure your connectivity is working between search head and indexers
If the above works then it may be that you don't have access to the particular index with the security logs? check permissions/access controls
Are you doing the search with index=xxx? sometimes you may not have default access to that index, so you have to explicitly specify that.
Searching right index? or for a quick spot index=* might help.
and if you have default access to any indexes and those are the ones show up in the data summary when you login. Hope that explains the last bit of your question.
Check your access controls settings->access controls - depending on how your groups/roles configured and which group your user fall under (for example) and see what is the role the group/user mapped to. Once that is figured, check that role settings to see if it has the access to that index and then default access to that index. These two are different settings for a role.
If you have access to the role but not default access, then you still have to use index=xxx, if the user/group/role has the default access to that role then you don't have to explicitly say index=xxx. But in order to gain performance it's always better to use specific indexes in the search rather than just do "some strings".
Check if you can see any other logs on the search head? can you search internal logs? index=_internal - this will ensure your connectivity is working between search head and indexers
If the above works then it may be that you don't have access to the particular index with the security logs? check permissions/access controls
Are you doing the search with index=xxx? sometimes you may not have default access to that index, so you have to explicitly specify that.
Searching right index? or for a quick spot index=* might help.
Thanks for your swift response. I was able to see logs after I searched using Index=wineventlog. How can i ensure that Search app has default access to this Index and able to show data summary at default page?