Forums: SplunkGeneral: Can't get events to display given a source

When I am in the search page, and I do a:

source="/my_path/to_file"

Splunk's intellisense, shows me the files that match the pattern of the file that I am typing, and along with each file, it also shows me the number of events associated with each file...

When I choose the file, and I press enter (my timerange is 'All time'), I see no events being returned - why?

I have not customized anything in the configuration files - why is it not returning the events it claims to have indexed? Or is splunk only showing me how many lines it has counted in the file (which is incorrect too)?

The typeahead will return results that might be in "allowed" indexes, e.g., "_internal", but not "default" indexes.

I've looked at my authorize.conf file and the following properties are configured for runtime:

srchIndexesAllowed = *
#srchIndexesDefault = main
srchIndexesDefault = *

I've changed the srchIndexesDefault = *, but it really makes no difference because when I do my searches I specify the index as well as the source, in either case it doesn't work.

Anyone can help? Please?

note that srchIndexesDefault = * does *not* include any indexes whose names start with an underscore, e.g. all the _internal data. Typeahead includes data from these indexes.

It's not clear to me what doesn't work. Your typeahead is probably returning results that include your own search logs, and should be be taken as a representation of what is in the index. The "all data dashboard" will be accurate as to the actual sources in your default indexes.