Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Splunk WebUI - 'Waiting for Data'; no logs sho...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk WebUI - 'Waiting for Data'; no logs shown
When I lauch the Splunk dashboard, the predefined queries just sit there 'waiting for data'.
I read somewhere this could be because data isn't going into the default index. This is something I changed when I first set Splunk up to use an alternative index. I have no idea how to resolve this situation however or what is required to modify the indexes the default queries reference.
Any help would be much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so a few things.
Are you forwarding data to your indexer via a universal forwarder? If so, could you edit your question with the contents of inputs.conf from the splunk_home/etc/system/local folder?
Alternatively, if you are logging locally then paste the inputs.conf from the location above or possibly splunk_home/etc/apps/search/local if you added them via the UI.
If you don't specify an index they will go to main by default, so if you don't care about indexes (and you shouldn't really unless you need to for user access, security or for testing) just leave the index = field out.
Waiting for data is what a panel on a dashboard displays when it is a real time search with no data found yet, so yes, in the case of the summary screen, it means no data in the default index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes that's correct. I just setup a data input for UDP 514.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I mean is how are you adding data to Splunk? If its syslog being forwarded on, have you gone to Manager-> Data Inputs -> UDP and add one for UDP 514, assuming you are using the default ports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm uncertain on the terminology I'm afraid. I have a number of devices forwarding to a syslog server (Splunk). I'm only using syslog, but also only have one instance of Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats no problem, thats why we're here 🙂 So are you forwarding via a remote forwarder? I'm trying to figure out how you are attempting to consume files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer Drainy.
An inputs.conf file doesn't exist in the 2nd directory you've mentioned, however the first directory contains an inputs.conf file which merely says:
[default]
host = MSTHAYIN12
I appreciate you're help, but sadly I'm not very clued up on Splunk.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Event Series: Telemetry Pipeline Management
Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...
Deep insights, no barriers: Splunk Observability Cloud Free Edition
