I'm trying to segregate data coming from a specific Heavy Forwarder using a specific index (my_index). So as per Answers and Manual:
1. I defined also "my_index" index on the two Indexers that receive the data.
No index is defined on the Search Head.
2. In inputs.conf, I inserted on the Heavy Forwarder:
[input]
index = my_index
3. I configured a specific role and its users to search on this index
Looking at the console the my_index is empty (zero events), zero current size. Any search like index=my_index give zero results,
although events are coming to the indexer (I see tcmpdump trace of the message arriving on the Indexer when events occur). Any idea? Something different in Splunk 6.5.2?
thanks in advance
↧