We've done the following so far. Setup a new App through the webui Setup a new index through the webui with the same name as the app Configured a new sourcetype in props.conf and restarted splunk Configured the inputs.conf on a new forwarder to send all alerts to the new index Started up the forwarder and configured it to send events from a file to splunk server specifying the new sourcetype We're not able to see the events from the search app. I've checked and the index contains the correct number of events. So it looks like the events are being stored but are then not visible. Any ideas what I'm doing wrong? ... View more