I can't tell if it's since we moved to mounted bundles or not, but recently we need to explicitly set the indexes which we wish to search. It was working perfectly not long ago. Doing a search of just * gives not much at all - only main, _internal, _audit, _introspection and sos. There's another ~15 indexes with MANY more events in them on our system.
I've gone as far as clicking "add all" on the "default indexes searched" box and it doesn't seem to make any difference. This is breaking all our apps, amongst other issues.
We've got a single search head (v6.1.x) pointing at a single indexer (v6.0.x) both running Debian with the indexer NFS-mounting the search head's /opt/splunk/etc/ directory directly.
... View more