Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk WebUI - 'Waiting for Data'; no logs shown

NeilGingell
Explorer
‎06-26-2012 01:55 AM

When I lauch the Splunk dashboard, the predefined queries just sit there 'waiting for data'.

I read somewhere this could be because data isn't going into the default index. This is something I changed when I first set Splunk up to use an alternative index. I have no idea how to resolve this situation however or what is required to modify the indexes the default queries reference.

Any help would be much appreciated.

Tags (1)
0 Karma
Reply

Drainy
Champion
‎06-26-2012 02:45 AM

Ok, so a few things.
Are you forwarding data to your indexer via a universal forwarder? If so, could you edit your question with the contents of inputs.conf from the splunk_home/etc/system/local folder?
Alternatively, if you are logging locally then paste the inputs.conf from the location above or possibly splunk_home/etc/apps/search/local if you added them via the UI.

If you don't specify an index they will go to main by default, so if you don't care about indexes (and you shouldn't really unless you need to for user access, security or for testing) just leave the index = field out.

Waiting for data is what a panel on a dashboard displays when it is a real time search with no data found yet, so yes, in the case of the summary screen, it means no data in the default index.

Reply

NeilGingell
Explorer
‎06-26-2012 07:17 AM

Yes that's correct. I just setup a data input for UDP 514.

0 Karma
Reply

Drainy
Champion
‎06-26-2012 05:44 AM

What I mean is how are you adding data to Splunk? If its syslog being forwarded on, have you gone to Manager-> Data Inputs -> UDP and add one for UDP 514, assuming you are using the default ports

0 Karma
Reply

NeilGingell
Explorer
‎06-26-2012 05:34 AM

I'm uncertain on the terminology I'm afraid. I have a number of devices forwarding to a syslog server (Splunk). I'm only using syslog, but also only have one instance of Splunk.

0 Karma
Reply

Drainy
Champion
‎06-26-2012 05:26 AM

Thats no problem, thats why we're here 🙂 So are you forwarding via a remote forwarder? I'm trying to figure out how you are attempting to consume files.

0 Karma
Reply

NeilGingell
Explorer
‎06-26-2012 05:06 AM

Thanks for your answer Drainy.

An inputs.conf file doesn't exist in the 2nd directory you've mentioned, however the first directory contains an inputs.conf file which merely says:

[default]
host = MSTHAYIN12

I appreciate you're help, but sadly I'm not very clued up on Splunk.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...