I think its because the data you have indexed the data in an index that you have created yourself . If you index the data by assigning the default index, you can see in DATA SUMMARY all information about hosts , sources and sourcetype.
It can can be possible that the data hasn't indexed correctly
You can test this!
thank you very much for your response.
Yes I have created this index myself. So I guess this is unfortunately normal.
@juvetm: I only configured the inputs.conf and outputs.conf. So there is no change of data before indexing.
On the forwarder I have indexAndForward = false
@ngatchasandra is correct, the "Data Summary" in the Search & Reporting App is based on data for the configured default index, which is "main" by default.
If you wish to do a search that shows the same data as the "Data Summary", you can do the following:
| metadata index=<YOUR INDEX> type=<hosts, sources or sourcetypes> | eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p") | rename <host, source, or sourcetype> AS <Host, Source, or Sourcetype>, totalCount AS Count, lastSeen AS "Last Update" | table <Host, Source, or Sourcetype>, Count, "Last Update"
Where you replace YOUR INDEX with your index minus the angle brackets, and select the appropriate type and reflect the selection in the rename command and table command.
e.g. For listing all sourcetypes, it would be
| metadata index=<YOUR INDEX> type=sourcetypes | eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p") | rename sourcetype AS Sourcetype, totalCount AS Count, lastSeen AS "Last Update" | table Sourcetype, Count, "Last Update"
And this would be run across All Time (to see what you see in the Search & Reporting app, though do it at your discretion considering the index and amount of events).