Dashboards & Visualizations

Why is the Index Detail: Instance dashboard not displaying data under "historical charts" for some indexes?

damode
Motivator

In the historical view of Index Detail: Instance page of the Indexer DMC, it shows data for only _audit and _telemetry. No data for other indexes.

EDIT : There is no historical data shown on all of my splunk instances- 1 S.H, 1 Indexer and 2H.Fs. I have set their DMC's in standalone mode.
I learnt from here that the historical panels get data from introspection logs. Then I re-read the "Monitoring Console setup prerequisites" where it says,

  1. Platform instrumentation must be enabled for every Splunk Enterprise instance that you intend to monitor, except forwarders. (that means Platform instrumentation must NOT be enabled on Forwarders)
  2. Forward internal logs (both $SPLUNK_HOME/var/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. (Forwarding internal logs from Search Head and Heavy Forwarders will basically make them also "Forwarders")

Does that mean I should disable Platform instrumentation on Search head and Heavy forwarders ?
And if I disable Platform instrumentation on these "forwarders" then it will not generate any introspection logs. Then what would be the sense in forwarding them to Indexer ?

Please help me understand this.

0 Karma

micahkemp
Champion

It sounds like your DMC is only searching itself (or peers that only have those indexes). Do you have it configured with your indexers as search peers, and have you configured it for distributed mode?

0 Karma

damode
Motivator

Its configured in Distributed Search mode with the Search Head. So, there is only 1 S.H and 1 Indexer. The above issue is on Indexer DMC.

0 Karma

micahkemp
Champion

Have you configured your remote instances appropriately on the setup page?

0 Karma

damode
Motivator

Sorry, I think you meant whether the S.H was configured in distributed mode. No, Both S.H and Indexer are in Standalone mode.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...