Getting Data In

Searching and filtering by sourcetype and index

asarolkar
Builder

I have a universal forwarder pushing a log file from a window server into a splunk indexer in this manner.

Configuration from ->
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf

[monitor://C:\temp\somelogfile.txt]
disabled=0
followtail=0
index=logger
sourcetype=txt




This pushes data from that txt file (which gets updated ONCE a day NOT rolled over) -- ONCE a day. Everything gets pushed out to the indexer correctly and all is fine and dandy EXCEPT

In the Splunk search bar
-> The search works when I enter : index="logger" - I can drilldown to the sourcetype and then show events

-> The search ALSO works when I enter : index="logger" sourcetype="txt". This shows events.

-> The search does NOT work when I ONLY enter sourcetype="txt" into the splunk search bar.

No results show up


Anybody have an idea so as to why Splunk would simply not recognize and filter by sourcetype ALONE when pushing data from universal forwarder ? I dont see any errors under /var/log/audit.log or any other log files just FYI.


For most other sourcetype/index combinations that I am familiar with, you can search by either SOURCETYPE OR INDEX -- and then drill down by the OTHER once the events start to appear.

Is it possible that I am not setting something in inputs.conf that I am supposed to when the resource being indexed does not live on the indexer itself ?

Any input would be appreciated.

1 Solution

Ayn
Legend

I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger because your user/role is not configured to search in the logger index by default. Only the main index is searched by default - you can configure this in the manager in Splunkweb:

Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".

View solution in original post

Ayn
Legend

I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger because your user/role is not configured to search in the logger index by default. Only the main index is searched by default - you can configure this in the manager in Splunkweb:

Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".

View solution in original post

asarolkar
Builder

worked like a charm !

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!