All Apps and Add-ons

Why does "sourcetype="MSExchange*"" get no results but "sourcetype="MSExchange*" index="msexchange" " does?


I am setting up the Splunk App for Exchange. I have plenty of data coming in with a sourcetype of "MSExchange*" however the guided setup cannot find the events and fails.

Using index="msexchange" in a search retrieves all the events but what is keeping the search failing by only entering sourcetype?

I've checked the configuration files for all the apps and they seem fine according to Splunk documentation.

0 Karma

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!