I'm going to try to explain this problem with a video. Watch as I list the monitors on a windows host and you'll see the file I want to search is listed. After that I open the log file and look at the time of the last event. Then I go over to the splunk web portal and do a search. I even click on the source directly from the summary page and the event is still not listed. You can see the last event in the search results is not what I saw from the real Windows event log. After that, I restart the universal forwarder then go back to the web portal, click the search a couple more times, and it is there. So it only seems to pick up the data after I do a restart of the forwarder... http://screencast.com/t/ILPGo40B ... View more

Does anyone have any ideas ? It seems when I restart the forwarder, then the events get updated in the search, but only when I do a restart. Obviously I am not going to restart the forwarder every time I want to see new events. I'm going to have to fail this application as something our team can use, unless this fundamental ability to search on hostname will work. I don't have the time to research errors on something that should work out of the box. ... View more

Sorry, I meant to say I am using host=PDM. (Edit: This text box won't let you use asterisks so what I typed the first time was right). I just deleted the UDP data input and cleaned all event and global data. I configured the receiver to listen on tcp 9998. It's still not reporting all events for the file I am monitoring. I added the file using the CLI...splunk add monitor " " ... View more