- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Why is the Index Detail: Instance dashboard no...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is the Index Detail: Instance dashboard not displaying data under "historical charts" for some indexes?
In the historical view of Index Detail: Instance page of the Indexer DMC, it shows data for only _audit and _telemetry. No data for other indexes.
EDIT : There is no historical data shown on all of my splunk instances- 1 S.H, 1 Indexer and 2H.Fs. I have set their DMC's in standalone mode.
I learnt from here that the historical panels get data from introspection logs. Then I re-read the "Monitoring Console setup prerequisites" where it says,
- Platform instrumentation must be enabled for every Splunk Enterprise instance that you intend to monitor, except forwarders. (that means Platform instrumentation must NOT be enabled on Forwarders)
- Forward internal logs (both $SPLUNK_HOME/var/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. (Forwarding internal logs from Search Head and Heavy Forwarders will basically make them also "Forwarders")
Does that mean I should disable Platform instrumentation on Search head and Heavy forwarders ?
And if I disable Platform instrumentation on these "forwarders" then it will not generate any introspection logs. Then what would be the sense in forwarding them to Indexer ?
Please help me understand this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It sounds like your DMC is only searching itself (or peers that only have those indexes). Do you have it configured with your indexers as search peers, and have you configured it for distributed mode?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its configured in Distributed Search mode with the Search Head. So, there is only 1 S.H and 1 Indexer. The above issue is on Indexer DMC.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you configured your remote instances appropriately on the setup page?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I think you meant whether the S.H was configured in distributed mode. No, Both S.H and Indexer are in Standalone mode.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
