Using the tutorial and adding the Sampledata.zip file, Splunk states that it saved/indexed the data successfully. However, on searching on the dashboard page the data is not shown. I have successfully loaded real-time Linux data from the server running Splunk. I have also cleared the eventdata to ensure I start from a clean data set but still no show.
Any advice gratefully received. Thanks.
OK, sorted. If in doubt uninstall splunk and start all over again.
I've investigated further and come to the conclusion that there must be a config somewhere that needs to be enabled to accept data. I have a simple web server log on the localhost. Once again I have gone through the simplest Add Data process and all is saved without errors. But when I go to search there is no data displayed in the dashboard. I'm obviously missing something.
Any pointers much appreciated.
OK, thanks. Perhaps I should clarify what I'm trying to do...
Following exactly what the tutorial advises and loading the Sampledata.zip file, making the necessary changes under the "More settings" section (set host && regexp). I used the default index. It appears to "Save" without problems. But when I start searching the dashboard is blank. Without getting this part of the piece sorted I'm hard pushed to evaluate the product!
I probably misunderstood this question when I answered--sorry. I'm not sure what you mean about the sample index being enabled?
You can definitely upload the data into a different index, which you can specify under "More settings" from the "Add data" screen.
Just remember to include the index in your searches... for example,
index=tutorial sourcetype=access_* ...
Thanks for the suggestion. Followed the tutorial and the summary dashboard page uses the default indexes. The sample index is enabled. Can I specify an index to use?
are you searching the correct index and time range?