Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DATA not feeding in INDEX : Splunk

vivekg72
Explorer
‎04-22-2020 04:12 AM

Hi

I have got 5 node SPLUNK .

NODE1 : Master + License Manager
Node 2 : Indexer - peer
Node 3 : Indexer - Peer
Node 4 : Indexer - Peer
Node 5 : Search head

All is working fine . Now I need to create a new index for test purpose . and push one file in that index

Thus I have done following :

In master Node , We have a file called indexes.conf under :
/apps/splunk/etc/master-apps/app-infrastructure-loganalysis/local

I have added a few index lines :
[indexwinelksynclogs]
homePath = /data/splunk/indexwinelksynclogs/db
coldPath = /data/splunk/indexwinelksynclogs/colddb
thawedPath = /data/splunk/indexwinelksynclogs/thaweddb
repFactor = auto

0 Karma
Reply

vivekg72
Explorer
‎04-22-2020 04:16 AM

Therefter I did following in master :

splunk apply cluster-bundle
splunk show cluster-bundle-status

I can see new index file is deployed in All Index servers . I have restarted whole cluster
and I can see index in UI

but When I try to push data , it does not work .. nothing goes in index

Can u please help me ASAP ?

0 Karma
Reply

vivekg72
Explorer
‎04-22-2020 05:55 AM

Hi

I have added following lines in input.conf of splunk forwarder

[monitor://D:\PTP\Daily*.csv]
disabled = false
sourcetype = indexwinelksynclogs
index = indexwinelksynclogs

0 Karma
Reply

vivekg72
Explorer
‎04-22-2020 05:56 AM

There are two more stanza in input file ( using old indexes ) and I can see data in those indexes updated regularly

but not in new Index .

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-22-2020 05:47 AM

Please say more about how you are pushing data and how you are searching for it. How are you specifying the index name? Are you specifying the correct index?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...