I have installed the Splunk App for Windows Infrastructure in my environment. All logs are coming to the indexer, but the dashboard is not populating. When I check for the search, it started with search: eventtype = "XXXXX"
. So, when I copy paste the same search in the search bar, it is not working when I add the prefix index = "*"
it is working. Can any one help?
Thanks in advance
Hi,
I found the answer.
The key for me was "index=*" - that clued me in. It was just the indexes that were being searched by default.
Settings > Access Controls > Roles > Admin > Indexes searched by default (I added msad, permon and winevents)
Once i made the changes, i started seeing my data in my dashboards.
Hi,
I found the answer.
The key for me was "index=*" - that clued me in. It was just the indexes that were being searched by default.
Settings > Access Controls > Roles > Admin > Indexes searched by default (I added msad, permon and winevents)
Once i made the changes, i started seeing my data in my dashboards.