topic Re: sourcetypes not loading any data in Splunk Search

Why are my sourcetypes not loading any data?

henryf — Tue, 18 Jul 2023 00:50:53 GMT

I have installed Splunk add on for AWS and created the inputs, which have a listed source type. However, when I try to search that source type, nothing comes up for the source. How can I fix this?

Re: sourcetypes not loading any data

richgalloway — Fri, 14 Jul 2023 18:48:41 GMT

Sourcetype is only one factor for finding indexed data. You also must look in the right index(es) and in the right time window.

The AWS input should have specified an index name for the data. If it doesn't then change it to do so. You'll use that name to search for the data. An input without an index specified will put data into the Last Chance index (usually "main" on-prem or "lastchanceindex" in Splunk Cloud). If you search without specifying an index name then Splunk will search your default indexes (if any), which may or may not include the AWS index.

All Splunk data is time-sequenced. If data is onboarded with the incorrect time then you'll have a difficult time finding it. Verify the sourcetype's TIME_FORMAT and TIME_PREFIX settings match the data being ingested. Expand the time window of your search using earliest=0 latest=+10y to see if the data is coming in with the right timestamps.

Of course, check the logs to make sure there are no errors getting the data from AWS.

Re: sourcetypes not loading any data

henryf — Fri, 14 Jul 2023 19:14:30 GMT

index is default for all my inputs and I always start my searches with index=*

Re: sourcetypes not loading any data

richgalloway — Fri, 14 Jul 2023 19:48:00 GMT

It's a Best Practice to send inputs to specific indexes rather than allow them to default.

It's a poor practice to use index=* in a query. Anything other than a dev/test query should use specific index names.

Are the timestamps being extracted correctly?

Have you checked the logs?

Re: sourcetypes not loading any data

henryf — Fri, 14 Jul 2023 20:04:48 GMT

nothing is being extracted. How do You check the logs and how else would you suggest I search for what I am looking for?

Re: sourcetypes not loading any data

richgalloway — Sat, 15 Jul 2023 00:54:28 GMT

If nothing is being extracted then either data is not getting from AWS to Splunk or the sourcetype doesn't describe the data well enough for Splunk to extract fields.

Start with splunkd.log to confirm the input is working and to see if there are any problems reported about the input or the data itself. You can view the log with this query (assuming you have access)

index=_internal source=*splunkd.log

Re: sourcetypes not loading any data

henryf — Mon, 17 Jul 2023 13:19:31 GMT

data loaded when I put in that search. I don't understand how this relates to my problem though, how do I view the inputs I want?

Re: sourcetypes not loading any data

richgalloway — Mon, 17 Jul 2023 16:02:25 GMT

The query displays Splunk's internal log so you can try to determine why your inputs are not producing data.