Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data is not making to indexer

ssankeneni
Communicator
‎10-05-2012 12:28 PM

The Data forwarded by universal forwarder is not making to the indexer. There is no clue on splunkd.log file even. It shows that the forwarder has made a connection to indexer. Any help would be appreciated.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-05-2012 04:19 PM

First, you must create the index before you direct any inputs to the index. Go to Manager>>Indexes and create the testindex there.

Second, searches only include a default set of indexes, based on your role. When you create a new index (such as textindex), you need to add it to any roles where you wish for the new index to be searched by default. You also must include the new index in any roles that will be allowed to search it explicitly. Go to Manager>>Access Controls to edit these settings.

If you did create the testindex, try this search to see if there is anything in it:

index=testindex

You can also look at the testindex in Manager>>Indexes, which will show how many events it contains.

HTH

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎10-05-2012 04:19 PM

First, you must create the index before you direct any inputs to the index. Go to Manager>>Indexes and create the testindex there.

Second, searches only include a default set of indexes, based on your role. When you create a new index (such as textindex), you need to add it to any roles where you wish for the new index to be searched by default. You also must include the new index in any roles that will be allowed to search it explicitly. Go to Manager>>Access Controls to edit these settings.

If you did create the testindex, try this search to see if there is anything in it:

index=testindex

You can also look at the testindex in Manager>>Indexes, which will show how many events it contains.

HTH

Reply
Solved! Jump to solution

ssankeneni
Communicator
‎10-09-2012 11:10 AM

Thanks for the answer.. but my problem was the indexer is forwarding to another server. I removed it and it started working back. Thank you for your help.

0 Karma
Reply
Solved! Jump to solution

ssankeneni
Communicator
‎10-05-2012 12:44 PM

I'm unable to index the data on the same splunk instance even. My inputs.conf file on the same instance. I can't see any testindex being created.
[default]
host = vm10177
[monitor:///home/ssanke/SplunkTests/logs/DistSearch]
index = testindex

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎10-05-2012 12:37 PM

Please provide much more details on your setup - inputs, outputs, etc etc. It's impossible to help you without having any details.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...