Using the tutorial and adding the Sampledata.zip file, Splunk states that it saved/indexed the data successfully. However, on searching on the dashboard page the data is not shown. I have successfully loaded real-time Linux data from the server running Splunk. I have also cleared the eventdata to ensure I start from a clean data set but still no show.
Any advice gratefully received. Thanks.
I've investigated further and come to the conclusion that there must be a config somewhere that needs to be enabled to accept data. I have a simple web server log on the localhost. Once again I have gone through the simplest Add Data process and all is saved without errors. But when I go to search there is no data displayed in the dashboard. I'm obviously missing something.
Any pointers much appreciated.
OK, thanks. Perhaps I should clarify what I'm trying to do...
Following exactly what the tutorial advises and loading the Sampledata.zip file, making the necessary changes under the "More settings" section (set host && regexp). I used the default index. It appears to "Save" without problems. But when I start searching the dashboard is blank. Without getting this part of the piece sorted I'm hard pushed to evaluate the product!
You can definitely upload the data into a different index, which you can specify under "More settings" from the "Add data" screen.
Just remember to include the index in your searches... for example,
index=tutorial sourcetype=access_* ...