All Apps and Add-ons

Data not showing up on Search Head - Distributed environment

shubham87
Explorer

We have distributed splunk environment. I am using Splunk_TA_windows on universal forwarders to send security event logs to Heavy forwarder and then to indexer. I can see that data is being sent to Indexer since i could see size of index growing, however on my search head I could not see this data. Indexer has been added as a search peer on my Search Head.

What could be the possible issue?

Thanks in Advance
Shubham

1 Solution

bheemireddi
Communicator

Check if you can see any other logs on the search head? can you search internal logs? index=_internal - this will ensure your connectivity is working between search head and indexers

If the above works then it may be that you don't have access to the particular index with the security logs? check permissions/access controls

Are you doing the search with index=xxx? sometimes you may not have default access to that index, so you have to explicitly specify that.
Searching right index? or for a quick spot index=* might help.

View solution in original post

0 Karma

bheemireddi
Communicator

and if you have default access to any indexes and those are the ones show up in the data summary when you login. Hope that explains the last bit of your question.

0 Karma

bheemireddi
Communicator

Check your access controls settings->access controls - depending on how your groups/roles configured and which group your user fall under (for example) and see what is the role the group/user mapped to. Once that is figured, check that role settings to see if it has the access to that index and then default access to that index. These two are different settings for a role.

If you have access to the role but not default access, then you still have to use index=xxx, if the user/group/role has the default access to that role then you don't have to explicitly say index=xxx. But in order to gain performance it's always better to use specific indexes in the search rather than just do "some strings".

0 Karma

bheemireddi
Communicator

Check if you can see any other logs on the search head? can you search internal logs? index=_internal - this will ensure your connectivity is working between search head and indexers

If the above works then it may be that you don't have access to the particular index with the security logs? check permissions/access controls

Are you doing the search with index=xxx? sometimes you may not have default access to that index, so you have to explicitly specify that.
Searching right index? or for a quick spot index=* might help.

0 Karma

shubham87
Explorer

Thanks for your swift response. I was able to see logs after I searched using Index=wineventlog. How can i ensure that Search app has default access to this Index and able to show data summary at default page?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...