When I lauch the Splunk dashboard, the predefined queries just sit there 'waiting for data'.
I read somewhere this could be because data isn't going into the default index. This is something I changed when I first set Splunk up to use an alternative index. I have no idea how to resolve this situation however or what is required to modify the indexes the default queries reference.
Any help would be much appreciated.
Ok, so a few things.
Are you forwarding data to your indexer via a universal forwarder? If so, could you edit your question with the contents of inputs.conf from the
Alternatively, if you are logging locally then paste the inputs.conf from the location above or possibly
splunk_home/etc/apps/search/local if you added them via the UI.
If you don't specify an index they will go to main by default, so if you don't care about indexes (and you shouldn't really unless you need to for user access, security or for testing) just leave the index = field out.
Waiting for data is what a panel on a dashboard displays when it is a real time search with no data found yet, so yes, in the case of the summary screen, it means no data in the default index.
Thanks for your answer Drainy.
An inputs.conf file doesn't exist in the 2nd directory you've mentioned, however the first directory contains an inputs.conf file which merely says:
host = MSTHAYIN12
I appreciate you're help, but sadly I'm not very clued up on Splunk.
Thats no problem, thats why we're here 🙂 So are you forwarding via a remote forwarder? I'm trying to figure out how you are attempting to consume files.
I'm uncertain on the terminology I'm afraid. I have a number of devices forwarding to a syslog server (Splunk). I'm only using syslog, but also only have one instance of Splunk.
What I mean is how are you adding data to Splunk? If its syslog being forwarded on, have you gone to Manager-> Data Inputs -> UDP and add one for UDP 514, assuming you are using the default ports