If I use the Main index and using a Universal Forwarder I successfully index all event data in the Application, System and Security logs from a windows server.
However if I create with a new install of splunk custom indexes for each log type above the only events I seem to get in the logs are from the date that the custom indexes are created and not back to the first log entry on the server.
Can someone tell me if I need to instruct splunk to index all data or should it automatically pull all the events from the logs right back to the first one created?
Also using custom indexes, how do you add the Host and source types so they show on the Search Summary screen?
The only way I seem to be able to view them is by typing "index=log name" in the search box?
Thanks
Once data is indexed in Splunk, it will not be changed. So if you want all the old events to go to the new indexes, you will need to remove the data from the indexes, and then reload it. Here are the steps:
You can do things in a different order, if you are careful.
The Summary view only shows data from the indexes that the user is allowed to see by default. When you create new indexes, you should update the roles. For each role that should have access to the index, you need to add the index to the available indexes (unless the role has access to "all non-internal indexes"). If you also add the new index to the indexes that are searched by default, then the user will see the data from that index (sourcetypes and hosts) in the Summary view.
The reason that you have to enter index=xyz
is because the index is not searched by default for your role.
Once data is indexed in Splunk, it will not be changed. So if you want all the old events to go to the new indexes, you will need to remove the data from the indexes, and then reload it. Here are the steps:
You can do things in a different order, if you are careful.
The Summary view only shows data from the indexes that the user is allowed to see by default. When you create new indexes, you should update the roles. For each role that should have access to the index, you need to add the index to the available indexes (unless the role has access to "all non-internal indexes"). If you also add the new index to the indexes that are searched by default, then the user will see the data from that index (sourcetypes and hosts) in the Summary view.
The reason that you have to enter index=xyz
is because the index is not searched by default for your role.