Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Events from new index are not showing up

kjohnsonzenimax
Explorer
‎10-04-2012 05:33 AM

I have inherited a fairly undocumented splunk deployment which looks as follows (splunk 4.3.2):

Forwarders -> 2x Heavy Forwarders -> 3x Indexers -> Search Head

I have added an index to the Search Head via the web interface and installed two forwarders with an inputs.conf as below:

[monitor:////opt/tld/glassfish/domains/tldcs/logs/feedback.log]
sourcetype = tld_gameplay
index = tld_gameplay

[monitor:////home/tldcs/web/apps/cstools/log/production.log]
index = customer_service

[monitor:////opt/tld/glassfish/domains/tldcs/logs/server.log]
index = customer_service

[monitor:////opt/tld/glassfish/domains/tldcs/logs/services.log]
index = customer_service

The issue is that I am not seeing any events in the web interface.

How can I debug this? What information do you need from me, so that I can help you? How can I verify that data is, or is not, even being received by the heavy forwarder, and then the indexers?

I am unclear whether I need to "add" the index somewhere else other than via the web interface.

Thanks,

Tags (1)
Reply

kjohnsonzenimax
Explorer
‎10-10-2012 10:27 AM

All that I had to do was restart the individual indexers, which the heavy forwarder was reporting to. After doing this, events began showing up in the search.

Reply

sowings
Splunk Employee
Splunk Employee
‎10-04-2012 01:06 PM

Adding the index on the web interface adds it to the search head's local filesystem. It doesn't add it on the indexers themselves. In a lot of cases, the web interface of the indexers is turned off, to save memory as it commonly isn't used in this kind of distributed environment. I'd suggest first going to the indexers (command line is OK) and issuing splunk list indexes to see if your indexers have this new one.

You could then add them directly to the indexes.conf, or temporarily spin up the Splunk UI on the indexers to be able to use the UI to add the index.

0 Karma
Reply

kjohnsonzenimax
Explorer
‎10-10-2012 10:24 AM

Hey, thanks for your answer. I have just checked the three indexers, running the command 'splunk list index' and have verified that the new index is listed on all three indexers.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...