Hi all,

I would like to know....

I have a functional index named "phone"
I have 120 IP (with no host) defined in inputs.conf on Universal Forwarders with index=phone.

Example:

[udp://aaa.bbb.ccc.ddd:514]
        source = sip_syslog
        sourcetype = phone:siplab
        connection_host = none
        acceptFrom = aaa.bbb.ccc.ddd
        disabled = false
        index = phone

I find data with search on the search head with index=phone and my index on the server grows (so it's functional), but when I run this command (Highest-usage indexes), I don't have my Phone index. Why?

See my query:
index="_internal" source="*metrics.log" per_index_thruput | eval GB=kb/(1024*1024) | stats sum(GB) as total by series date_mday | sort total | fields + date_mday,series,total | reverse

However, with this query, I see my index:
index=_internal source=license_usage.log type=Usage | stats sum(b) by idx | sort sum(b) |reverse

I don't know why I don't have my index with the first query (made by Splunk)?

I would like just 1 report with ALL index for one day (first query). Do you have an idea?

Thanks in advance
Best Regards
Rene R.