Hi Everyone,
am currently facing an issue which am not getting my head around it. I have installed the universal forward in win srv 2012r2 to send every log to Splunk server. However, In the Splunk web interface, I cannot see the data that is being forwarded/indexed. I have done a Tcpdump to monitor traffics on port 9997.
I can see that the communication is being made between the Splunk server and the windows machine on that port, however, I cannot see the data being indexed or displayed on the graphic. Can anyone tell me where does the data that is being collected usually stored? it is indexed on the default index or somewhere else. Because so far I cannot find it in the default index or where ever.
Thanks in advance.
↧