Can't search

wiz561 · ‎05-16-2015

I am just getting started with Splunk at home on Ubuntu. I'm gathering logs from my pfsense firewall and I can see that there are indexed events. When trying to search for something, the search box gets disabled and a little "do not enter" or "no" sign shows up where the cursor is. No results are returned.

I'm just typing in host="10.0.110.1" in the search field.

I'm assuming that there isn't something running that needs to be. I did switch the license from enterprise trial to the free 500meg/day license.

amiracle · ‎06-30-2015

Did you add the os index and any other custom index to the Search Index by default. In the Web UI (Settings -> Access Controls -> Roles -> Admin -> scroll down to 'Indexes searched by default' and add the indexes you want to search by default. I hope that helps.

woodcock · ‎05-19-2015

See what Splunk is complaining about with this search:

index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count

wiz561 · ‎05-19-2015

Thanks for the response. I think the problem lies deeper than this. I installed the *nix app and can sucessfully gather information from the local box. Even though Splunk says it is receiving information, I don't think it's making it searchable for some reason.

woodcock · ‎05-19-2015

You (probably) need to specify an index; try this:

index=* OR index=_* host="10.0.110.1"

Can't search

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023