Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Files in folders indexed but no results showing in search

bshamsian
Path Finder
‎12-16-2012 09:09 AM

I setup a directory to be scanned.  I went to Manager » Data inputs » Add data » Files & directories & clciked the new button and went thru the data preview and picked a file and made sure it looks ok with the given sourcetype that I created.  Once everything looked ok I changed the input from a single file to a folder - so the path to input file is something like this:

/opt/readonly/logs/event_recorder/2012-12-*

Once I created the new data input I see the folder in the input lists and I see that splunk has indexed over 300 files and the count goes up as new files come in.  However no results are returned in search for anything from these files.  I tried searching based on HOST field or source filed or sourcetype field and nothing comes back in search.

Index was set to default so they should have gone to main index. Tried using index=* but did not make any difference.

How can I find out what happened and what did splunk do with the data.

Splunk version 4.3

Tags (1)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎12-16-2012 10:48 AM

What timeframe are you searching across? It's possible that the time extraction or timezone is incorrect, so if you are doing a real-time search over the past 5 minutes, for instance, you will never see anything.

Perform your search over all time and see if any data comes back. If it does, you'll need to get the time extraction and timezone set correctly.

Reply

bshamsian
Path Finder
‎12-16-2012 12:46 PM

I thought about that and changed timeframe to all time but it not make a difference.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...