I setup a forwarder on a linux server and setup Splunk to listen on port 9997 and I added the index name (cisco) I previously setup into the inputs.conf file.
On the Splunk indexer, if I search "index=cisco", I can see all my data.
However, my "Search" page is not displaying any "Hosts", any "Sources" and any "SourceTypes"....whereas I am receiving all data.
Any idea what is wrong ?
You are right Adonio, when I run this query I get this result.
What I meant the "Search" page which shows all Hosts added,...and the moment I have the message "No data has been added",,,,whereas I should have the hostname on my cisco device.
Any idea ?
I mean the default page when you open Splunk: you have a list of "Hosts" , then if you click "Sources" you can see all your sources are are being indexed and finally if you click on "Sourcetypes" you can see all your sources types
In this page, I do not have anything being displaying whereas I have data being received from a forwarder.
Is this clearer ?
hmmm, just noticed the question is tagged as splunk light.
ill place some screenshots in an answer, hopefully the UI is similar but i am not 100% sure.
anyways, i think all you need is to click the data summary button