I am just getting started with Splunk at home on Ubuntu. I'm gathering logs from my pfsense firewall and I can see that there are indexed events. When trying to search for something, the search box gets disabled and a little "do not enter" or "no" sign shows up where the cursor is. No results are returned.
I'm just typing in
host="10.0.110.1" in the search field.
I'm assuming that there isn't something running that needs to be. I did switch the license from enterprise trial to the free 500meg/day license.
Did you add the
os index and any other custom index to the Search Index by default. In the Web UI (Settings -> Access Controls -> Roles -> Admin -> scroll down to 'Indexes searched by default' and add the indexes you want to search by default. I hope that helps.
See what Splunk is complaining about with this search:
index=_internal source=*splunkd.log* log_level!=info | cluster showcount=t | table cluster_count _raw | sort -cluster_count
Thanks for the response. I think the problem lies deeper than this. I installed the *nix app and can sucessfully gather information from the local box. Even though Splunk says it is receiving information, I don't think it's making it searchable for some reason.
You (probably) need to specify an index; try this:
index=* OR index=_* host="10.0.110.1"