Dashboards & Visualizations

Why is the Index Detail: Instance dashboard not displaying data under "historical charts" for some indexes?

damode
Motivator

In the historical view of Index Detail: Instance page of the Indexer DMC, it shows data for only _audit and _telemetry. No data for other indexes.

EDIT : There is no historical data shown on all of my splunk instances- 1 S.H, 1 Indexer and 2H.Fs. I have set their DMC's in standalone mode.
I learnt from here that the historical panels get data from introspection logs. Then I re-read the "Monitoring Console setup prerequisites" where it says,

  1. Platform instrumentation must be enabled for every Splunk Enterprise instance that you intend to monitor, except forwarders. (that means Platform instrumentation must NOT be enabled on Forwarders)
  2. Forward internal logs (both $SPLUNK_HOME/var/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. (Forwarding internal logs from Search Head and Heavy Forwarders will basically make them also "Forwarders")

Does that mean I should disable Platform instrumentation on Search head and Heavy forwarders ?
And if I disable Platform instrumentation on these "forwarders" then it will not generate any introspection logs. Then what would be the sense in forwarding them to Indexer ?

Please help me understand this.

0 Karma

micahkemp
Champion

It sounds like your DMC is only searching itself (or peers that only have those indexes). Do you have it configured with your indexers as search peers, and have you configured it for distributed mode?

0 Karma

damode
Motivator

Its configured in Distributed Search mode with the Search Head. So, there is only 1 S.H and 1 Indexer. The above issue is on Indexer DMC.

0 Karma

micahkemp
Champion

Have you configured your remote instances appropriately on the setup page?

0 Karma

damode
Motivator

Sorry, I think you meant whether the S.H was configured in distributed mode. No, Both S.H and Indexer are in Standalone mode.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...