Deployment Architecture

Why is the new index not searchable?

AlteUnke
New Member

Hi everyone,

I'm new to Splunk and this is the first Index I created, so hopefully this Question ain't to nooby 😉

This is my inputs.conf:

[monitor:///var/log/app/retry.log]
disabled=false
sourcetype=log4j
index=retry
multiline_event_extra_waittime = true

indexes.conf:

[retry]
homePath=$SPLUNK_DB/retry/db
coldPath=$SPLUNK_DB/retry/colddb
thawedPath=$SPLUNK_DB/retry/thaweddb
repFactor=autor        
maxDataSize=auto

Cluster Bundle Status:

master                        
         cluster_status=None                                                                         
         active_bundle             
                checksum=2924BEA962D9C72179B8CF4D03846EAB 
                timestamp=1533281547 (in localtime=Fri Aug  3 09:32:27 2018) 
         latest_bundle                                      
                checksum=2924BEA962D9C72179B8CF4D03846EAB                                                          
                timestamp=1533281547 (in localtime=Fri Aug  3 09:32:27 2018)                                      
         last_validated_bundle                                                                       
                checksum=2924BEA962D9C72179B8CF4D03846EAB                                                         
                last_validation_succeeded=1                                       
                timestamp=1533281547 (in localtime=Fri Aug  3 09:32:27 2018)                    
         last_check_restart_bundle   
                last_check_restart_result=restart not required  
                checksum=    
                timestamp=0 (in localtime=Thu Jan  1 01:00:00 1970)

 splunkidx2    3F5EEC11-8718-4C0D-AEF7-0F54DABB1D01    default                   
         active_bundle=2924BEA962D9C72179B8CF4D03846EAB                                               
         latest_bundle=2924BEA962D9C72179B8CF4D03846EAB                 
         last_validated_bundle=2924BEA962D9C72179B8CF4D03846EAB                                          
         last_bundle_validation_status=success                                     
         restart_required_apply_bundle=0        
         status=Up     

 splunkidx3    79FD9BAC-9F72-46CB-A043-EDCA31DE8EB7    default                           
         active_bundle=2924BEA962D9C72179B8CF4D03846EAB        
         latest_bundle=2924BEA962D9C72179B8CF4D03846EAB 
         last_validated_bundle=2924BEA962D9C72179B8CF4D03846EAB                   
         last_bundle_validation_status=success    
         restart_required_apply_bundle=0  
         status=Up

 splunkidx1    D2077BB4-988A-46F2-BB00-E261EBF94BC9    default               
         active_bundle=2924BEA962D9C72179B8CF4D03846EAB    
         latest_bundle=2924BEA962D9C72179B8CF4D03846EAB
         last_validated_bundle=2924BEA962D9C72179B8CF4D03846EAB                                               
         last_bundle_validation_status=success                     
         restart_required_apply_bundle=0                                                         
         status=Up

I can see the new "retry" Index in Splunk and add it to roles. But I can't search for it, or find events when search for "index=retry".
But I can see the rawdata/db on the Indexers, so Data is here.
Any Idea what I could have missed?

Thanks in advance!

0 Karma

bpadmanbhachari
Splunk Employee
Splunk Employee

One thing i observed in indexes.conf is " repFactor = autor " which is invalid.

Can you change to "repFactor = auto" and try to push bundles again to peers.

http://docs.splunk.com/Documentation/Splunk/7.1.2/Indexer/Configurethepeerindexes#1._Edit_indexes.co...

0 Karma

renjith_nair
Legend

Check the roles assigned to the new index if the current role you are using is allowed to see the data

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

Steve_G_
Splunk Employee
Splunk Employee

Also, in your index definition, it should be "repFactor=auto", not "repFactor=autor"

0 Karma

AlteUnke
New Member

Uh, thanks for that! Didn't see that!

0 Karma

sudosplunk
Motivator

Hello, did you try expanding the time range for the results. Try searching for "All Time" (in time range picker) and see if any data shows up.

AlteUnke
New Member

Wow. I was about to answer something like "If it was that easy...". But that's it. Can you tell me what the difference between "All-time (real time)" and "All time" is? I can see the logs only in "All time", which might be the reason why I couldn't see the obvious...

But thanks for the tip!

0 Karma

sudosplunk
Motivator

Real-time searches scan events as the events arrive for indexing. When you kick off a real-time search, Splunk software scans the incoming events. The scan looks for events that contain index-time fields that indicate the event could be a match for your search.

"All-time (real-time)" search will continue running until you or another user stops the search or deletes the search job whereas "All-time" search stops once it has returned all the events matching the search criteria.

0 Karma

AlteUnke
New Member

I believe my misunderstanding was, that I used logs which all had the date "03.08.2018". I just copy/pasted them, thinking splunk would log them under "last 7 days" depending on the time the log was added and not the date which is written in the log-entry.

0 Karma

sudosplunk
Motivator

Splunk's default timestamp recognition process extracts timestamps found in the events unless instructed otherwise.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...