Solved: Splunk index on a Windows log folder

neltonk · ‎01-23-2018

New to Splunk please help...

I have created an index in Splunk enterprise and added a monitor to the splunk universal forwarder on a Windows Server. The size of the folder is 5 GB. I can see the index size growing but I am unable to search any data. Does the search work only after the index is fully populated?

Thanks

mayurr98 · ‎01-23-2018

No, it does not! you can search for the data while you are indexing the data.

Efficient way to search for your data is

index=<name of the index>

Run this search for all time.
Also, if you do not have specified the name of the index then the default index name is main

let me know if this helps!

View solution in original post

mayurr98 · ‎01-23-2018

No, it does not! you can search for the data while you are indexing the data.

Efficient way to search for your data is

index=<name of the index>

Run this search for all time.
Also, if you do not have specified the name of the index then the default index name is main

let me know if this helps!

neltonk · ‎01-23-2018

Thanks a lot Mayur. That worked... Thanks again for the tip.

cmerriman · ‎01-23-2018

what exactly does your search look like? do you have the name of the index in your search string?
if you go into Settings>Users and Authentication Access Controls>Roles and click on your role, is the Windows Server index selected (or All internal/non-internal indexes)?

Splunk index on a Windows log folder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation