Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data is not making to indexer

ssankeneni
Communicator
‎10-05-2012 12:28 PM

The Data forwarded by universal forwarder is not making to the indexer. There is no clue on splunkd.log file even. It shows that the forwarder has made a connection to indexer. Any help would be appreciated.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-05-2012 04:19 PM

First, you must create the index before you direct any inputs to the index. Go to Manager>>Indexes and create the testindex there.

Second, searches only include a default set of indexes, based on your role. When you create a new index (such as textindex), you need to add it to any roles where you wish for the new index to be searched by default. You also must include the new index in any roles that will be allowed to search it explicitly. Go to Manager>>Access Controls to edit these settings.

If you did create the testindex, try this search to see if there is anything in it:

index=testindex

You can also look at the testindex in Manager>>Indexes, which will show how many events it contains.

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-05-2012 04:19 PM

First, you must create the index before you direct any inputs to the index. Go to Manager>>Indexes and create the testindex there.

Second, searches only include a default set of indexes, based on your role. When you create a new index (such as textindex), you need to add it to any roles where you wish for the new index to be searched by default. You also must include the new index in any roles that will be allowed to search it explicitly. Go to Manager>>Access Controls to edit these settings.

If you did create the testindex, try this search to see if there is anything in it:

index=testindex

You can also look at the testindex in Manager>>Indexes, which will show how many events it contains.

HTH

Reply
Solved! Jump to solution

ssankeneni
Communicator
‎10-09-2012 11:10 AM

Thanks for the answer.. but my problem was the indexer is forwarding to another server. I removed it and it started working back. Thank you for your help.

0 Karma
Reply
Solved! Jump to solution

ssankeneni
Communicator
‎10-05-2012 12:44 PM

I'm unable to index the data on the same splunk instance even. My inputs.conf file on the same instance. I can't see any testindex being created.
[default]
host = vm10177
[monitor:///home/ssanke/SplunkTests/logs/DistSearch]
index = testindex

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-05-2012 12:37 PM

Please provide much more details on your setup - inputs, outputs, etc etc. It's impossible to help you without having any details.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...