The indexes will not show up until they receive some data. Are you sending data to the indexes?
after i "splunk restarted" them all, twice.
they showed up....
The indexes will not show up until they receive some data. Are you sending data to the indexes?
|metadata type=sourcetypes index=idx-dn:
firstTime lastTime recentTime sourcetype totalCount type
1 1336071194 1342402517 1371955561 DNlog 1079499 sourcetypes
there are events in that index
You said that you are receiving events. Look at the events in your search head and verify the index of the events.
sorry i dont quite understand you. the index name is "idx-dn"
What is the index of the events that you are receiving?
inputs.conf and outputs.conf on FORWARDER:
[monitor:///DATA/DNlog/DN.log.*]
sourcetype = DNlog
index = IDX-DN
host = LogDB
disabled = false
[tcpout]
defaultGroup = Peer_Group
maxQueueSize = 500MB
[tcpout:Peer_Group]
autoLB = true
autoLBFrequency = 1
useACK = true
server = 172.16.40.98:9997, 172.16.40.99:9997, ......
indexes.conf on PEER-NODEs:
[IDX-DN]
repFactor = auto
coldPath = $SPLUNK_DB/idx-dn/colddb
homePath = $SPLUNK_DB/idx-dn/db
maxDataSize = auto_high_volume
thawedPath = $SPLUNK_DB/idx-dn/thaweddb
What is the value of index for the events that you are receiving? Could it be the default index? If so, you need to specify the index in the inputs.cont of your forwarder.
yes, i did,i can see data on searchhead