Getting Data In

Searching and filtering by sourcetype and index

asarolkar
Builder

I have a universal forwarder pushing a log file from a window server into a splunk indexer in this manner.

Configuration from ->
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

[monitor://C:\temp\somelogfile.txt]
disabled=0
followtail=0
index=logger
sourcetype=txt




This pushes data from that txt file (which gets updated ONCE a day NOT rolled over) -- ONCE a day. Everything gets pushed out to the indexer correctly and all is fine and dandy EXCEPT

In the Splunk search bar
-> The search works when I enter : index="logger" - I can drilldown to the sourcetype and then show events

-> The search ALSO works when I enter : index="logger" sourcetype="txt". This shows events.

-> The search does NOT work when I ONLY enter sourcetype="txt" into the splunk search bar.

No results show up


Anybody have an idea so as to why Splunk would simply not recognize and filter by sourcetype ALONE when pushing data from universal forwarder ? I dont see any errors under /var/log/audit.log or any other log files just FYI.


For most other sourcetype/index combinations that I am familiar with, you can search by either SOURCETYPE OR INDEX -- and then drill down by the OTHER once the events start to appear.

Is it possible that I am not setting something in inputs.conf that I am supposed to when the resource being indexed does not live on the indexer itself ?

Any input would be appreciated.

1 Solution

Ayn
Legend

I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger because your user/role is not configured to search in the logger index by default. Only the main index is searched by default - you can configure this in the manager in Splunkweb:

Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".

View solution in original post

Ayn
Legend

I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger because your user/role is not configured to search in the logger index by default. Only the main index is searched by default - you can configure this in the manager in Splunkweb:

Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".

asarolkar
Builder

worked like a charm !

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...