Re: I see events in the data summary for a host. H...

rajindurbal · ‎12-03-2018

I see the host IP 1.2.3.4 with 1000 events in the last 30 minutes. However, when I run the search, the search does not return any events. Why is this? Thank you for any assistance you may provide.

vr2312 · ‎12-03-2018

Hello @rajindurbal

Please ensure your account/role has the privileges to search for the index/host.

rajindurbal · ‎12-04-2018

Hello @vr2312 ,

I am in an admin role. This data is coming in via syslog and coming in through an networking index which I am not sure where that is configured because I don't see it under the indexes.

skoelpin · ‎12-04-2018

You should post your query

vr2312 · ‎12-05-2018

@rajindurbal You can probably duplicate the inputs.conf and forward it to another index to check if data is being received. I assume you cannot see the mentioned index in the indexes.conf under the IDXs ?

richgalloway · ‎12-03-2018

What is your search?

---
If this reply helps you, Karma would be appreciated.

I see events in the data summary for a host. However, when I search, I don't see any data. How do I see it?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases