I had created one VM (EC2 in aws, centos) and attached splunk ebs volume to it, mounted on /opt. On this Server, Splunk is running well but indexes are showing 0 data in splunk web. Though I can see data at $SPLUNK_DB, for all of my application indexes
indexes.conf having below conf
[prod-abc] homePath = $SPLUNK_DB/prod-abc/db coldPath = $SPLUNK_DB/prod-abc/colddb coldToFrozenDir = $SPLUNK_DB/prod-abc/frozendb thawedPath = $SPLUNK_DB/prod-abc/thaweddb frozenTimePeriodInSecs = 63072000 maxDataSize = auto #If I create new index test and give below setting, change the path to absolute. It populate data in index: [prod-test] homePath = /opt/splunk/volr/splunk/prod-abc/db coldPath = /opt/splunk/volr/splunk//prod-abc/colddb coldToFrozenDir = /opt/splunk/volr/splunk//prod-abc/frozendb thawedPath = /opt/splunk/volr/splunk//prod-abc/thaweddb frozenTimePeriodInSecs = 63072000 maxDataSize = auto
my splunk-launch.conf looks so-
# Where splunk is installed. SPLUNK_HOME=/opt/splunk # Location where we want to store the indexed data. SPLUNK_DB=/volr/splunk # Splunkd daemon name SPLUNK_SERVER_NAME=splunkd # Splunkweb daemon name SPLUNK_WEB_NAME=splunkweb
The path settings for the prod-test and prod-abc indexes are very different. Which is correct? Is your Splunk data in /opt/splunk/volr/splunk or /volr/splunk?
The Path you have mentioned for $SPLUNK_DB seems different. You should check that.
And also I'll suggest to mention full path in defining index instead of mentioning $SPLUNK_DB.