I am trying to add McAfee DM Mon tool to Splunk via REST Data Input (XML format). I have the index created, all the fields on UI is filled in (url/basic auth/usrname/auth passwd/sourcetype/index ..etc). But no data is being seen in search. Is there any config file I need to be looking into ?
what do you mean when you say " all the fields on UI is filled in"? - are you seeing data?
I would try a couple of things:
1. are you seeing errors in index=_internal? are you sure something is coming back from your API calls? Can you try to hit it directly and get results?
2. if the answer to the above is yes, check permissions for your knowledge bundles