Hi Guys, I am unable to search the event data for license_usage.log , whereas I can see the log file getting updated in the server. kindly help if I have to enable it elsewhere to display in search.
Hi , We were able to fix the issue by enabling the logging of the directory "$SPLUNK_HOME\var\log\splunk " under data inputs in Splunk UI ..thank you.
Hi , We were able to fix the issue by enabling the logging of the directory "$SPLUNK_HOME\var\log\splunk " under data inputs in Splunk UI ..thank you.
Are you in an clustered enviroment or in an single instance enviroment?
IIRC, your role needs access to the _internal index to read that log.
Well , I logged in as an admin , and it does has access to _internal index as I am able to search the data when I give index=_internal ...