Archive
Highlighted

Splunk WebUI - 'Waiting for Data'; no logs shown

Explorer

When I lauch the Splunk dashboard, the predefined queries just sit there 'waiting for data'.

I read somewhere this could be because data isn't going into the default index. This is something I changed when I first set Splunk up to use an alternative index. I have no idea how to resolve this situation however or what is required to modify the indexes the default queries reference.

Any help would be much appreciated.

Tags (1)
0 Karma
Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Champion

Ok, so a few things.
Are you forwarding data to your indexer via a universal forwarder? If so, could you edit your question with the contents of inputs.conf from the splunk_home/etc/system/local folder?
Alternatively, if you are logging locally then paste the inputs.conf from the location above or possibly splunk_home/etc/apps/search/local if you added them via the UI.

If you don't specify an index they will go to main by default, so if you don't care about indexes (and you shouldn't really unless you need to for user access, security or for testing) just leave the index = field out.

Waiting for data is what a panel on a dashboard displays when it is a real time search with no data found yet, so yes, in the case of the summary screen, it means no data in the default index.

Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Explorer

Thanks for your answer Drainy.

An inputs.conf file doesn't exist in the 2nd directory you've mentioned, however the first directory contains an inputs.conf file which merely says:

[default]
host = MSTHAYIN12

I appreciate you're help, but sadly I'm not very clued up on Splunk.

0 Karma
Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Champion

Thats no problem, thats why we're here 🙂 So are you forwarding via a remote forwarder? I'm trying to figure out how you are attempting to consume files.

0 Karma
Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Explorer

I'm uncertain on the terminology I'm afraid. I have a number of devices forwarding to a syslog server (Splunk). I'm only using syslog, but also only have one instance of Splunk.

0 Karma
Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Champion

What I mean is how are you adding data to Splunk? If its syslog being forwarded on, have you gone to Manager-> Data Inputs -> UDP and add one for UDP 514, assuming you are using the default ports

0 Karma
Highlighted

Re: Splunk WebUI - 'Waiting for Data'; no logs shown

Explorer

Yes that's correct. I just setup a data input for UDP 514.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.