Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is host missing from Search?

zuma01
New Member
‎03-10-2019 09:52 AM

Hi All,

I'm just getting started so this is probably going to be an easy one.

I have Splunk light and have setup PFSense logs to output UDP Port 514 and setup a Splunk Monitor to gather the data (with syslog Source Type), however, when I look in the search the Host is not listed although it is visible in Data Inputs.

I did think that may be it is not visible until the data is detected/collected but I can see with Wire shark that PFsence is sending the data.

What am I doing wrong?

Thanks all

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-10-2019 11:29 AM

Could be a few things:
- Did you specify an index? If so when you run the search you will need to specify it as index=whatever to see your data. Alternativly in access_controls you can configure it to search that index by default.
- Is there a firewall on the box? Make sure its not blocking traffic to your port.

All the best

View solution in original post

0 Karma
Reply
Solved! Jump to solution

zuma01
New Member
‎03-10-2019 12:29 PM

It looks like the Windows Domain Firewall hosting Splunk had reset after a windows update/reboot. All working OK now. Good to know that the host will only appear when it is in the data set. Makes sense now as it is the search field pulling direct from the DB and not the configured data inputs

Start Bad, Get good

Thanks guys

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-10-2019 12:07 PM

There will always be a host field but there will only be a Host field if that is in the data itself.

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎03-10-2019 11:29 AM

Could be a few things:
- Did you specify an index? If so when you run the search you will need to specify it as index=whatever to see your data. Alternativly in access_controls you can configure it to search that index by default.
- Is there a firewall on the box? Make sure its not blocking traffic to your port.

All the best

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...