- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Almost no search results after upgrading to 7....
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Upgraded from 6.1 to 7.0 and now none of my old searches gives any results i.e dashboard searces.
As a Splunk rookie I have noe clue as where to start looking.
When searching for * I get a few results, but only from active directory. A search for EventCode gives no results.
Running splunk on a one-server setup, only collectiong windows event data.
Anyone have a clue where to start?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure you are logged in as a user in the admin role, then try
index=*
Another item of note was that somewhere in the moderately early 6.x days (6.3? Not sure) there was a change to some things on the indexes that would make migration take a lot longer than expected.
Lastly, you did read all the release notes and follow the upgrade procedure carefully, right?
If the answers to all that are good, then you'll want to start by telling us what OS you are running under and giving us information on the architecture of your systems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First make sure you are logged in as a user in the admin role, then try
index=*
Another item of note was that somewhere in the moderately early 6.x days (6.3? Not sure) there was a change to some things on the indexes that would make migration take a lot longer than expected.
Lastly, you did read all the release notes and follow the upgrade procedure carefully, right?
If the answers to all that are good, then you'll want to start by telling us what OS you are running under and giving us information on the architecture of your systems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply,
My user account is in admin gruop.
Adding index=* to the searches I'm testing with did give me results i was expecting.
Not sure what you mean by "there was a change to some things on the indexes that would make migration take a lot longer than expected." I did upgrade on wendesday and the databases is somewhere around 500GB on disk, you think it's still migrating data?
release note... Probably didn't read them that closly for the 7.0 upgrade.
I'll go deeper into that to see if there is something I have missed, that can be related to this issue.
Upgrade procedure was klick the installer and follow the instructions on screen. After backup affcourse.
Splunk is running on a win 2012 R2 server. One standalone server for splunk.
Not sure if that covers the architecture question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In sort of reverse order:
Yes, architecture question answered, that was all we needed.
As long as you have a good backup, all else is cake, right? 🙂
The reasons don't matter any more as to the extra time, but it wouldn't have been days in your case, just minutes (maybe tens of minutes, but not hours I wouldn't think). This isn't the problem in your case.
So, the real reason - I think you make some assumptions in searches that the user role in use will have the indexes involved set to "searched by default". You should either a) change the searches to include index=... (maybe including more than one like (index=X OR index=Y)), or possibly/probably easier just change the roles to re-add all non-internal indexes to the default ones searched.
Of the two, the first option is generally better to do - it limits the amount of data Splunk must search and thus makes it all better/faster. The latter will work, but it's less than ideal in many ways. That of course doesn't automatically make it the wrong solution in YOUR case, just that you might want to confirm it in your environment.
I'm going to convert my comment to an answer - there's NO NEED to click it accepted at this time or anything, I just think it happens to be at least one reasonably answer to this question. If it really does turn out to be this is "the answer" then of course it would be great if you could click it as "Accepted".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Went to the Settings -> Access controlls -> Roles -> Admin (in this case) -> Indexes searched by default
The only indexer there was main (only contains Active Directory data) so I addedd all non-internal indexes and all internal indexes
Now it seems everything is working again as before.
Thank you alot for the help.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
