I'm trying to do a search against index=_internal but I do not see this index on my searchhead.
I do see it when I do a search from the indexers.
Any suggestions where I should look first to fix this?
Hi @eburnett,
at first sight the problem seems to be the one indicated by @s2_splunk.
In addition, you could check if you're sending internal logs from all your Splunk servers to the Indexer (this is a best practice for distributed architectures).
You can do this forwarding logs from all your Splunk Servers (also Search Heads) to the Indexer [Settings -- Forwardring and Receiving -- Forward].
Ciao.
Giuseppe
Sounds like your user role doesn't have permission to look at internal indices?
So I tried to do this search with admin account and you are correct I can see results from this search then. index=_internal*
So Do I need to change permissions somewhere to see these with a user account?
Yes, you will need to provide access to indices as needed by role (not user). Please review docs how to go about it.