I've read several threads on this already, as well as have been over the documentation. I'm not sure what I've done incorrectly.
Quick summary:
Apache data is going into Splunk. Source type is apache:access. I added this to the [web-traffic] section in eventtypes.conf:
[OR sourcetype="apache:access"]
The logs are going to the 'main' index, which my user has access to.
The lookups under "setup" do not return any data, nor does eventtype=web-traffic
However, tag=web does work in the app context.
"Data model audit" also does not return data. (and acceleration says 0)
What am I missing with this?
Thanks!
↧