Getting Data In

How come only some data is replicating?

Motivator

Hey there,

I have one search head (SH), one Indexer, and one DS in my Splunk 7.2 environment. For months, the SH has been receiving the replicated data from the Indexer without a problem. I threw universal forwarders on ~15 domain controllers last night, and I am able to correctly have them send data to my indexer.

However, the new domain controller data isn't searchable from the SH, but the old data sources and their dynamic data, are still searchable from the SH. The indexer searches both the old and new data. What's the issue? Kind of bizarre, why would some data replicate but not others?

I switched my SH over to HTTPS last week... that could be the issue but I don't know how to solve it.

(SH, last 15min) index=msexchange | head 1 | table host                                   -> Shows data
(IN, last 15min) index=msexchange | head 1 | table host                                   -> Shows data
(SH, last 15min) source=WinEventLog:Security | head 1 | table host                        -> Does not show data
(IN, last 15min) source=WinEventLog:Security | head 1 | table host                        -> Shows data
0 Karma
1 Solution

Influencer

HI,

just a shot in the dark, but is the new source in a different index? than it could be a permission thing, you might not have the permission to search that new index?

Check that in Access control in your role you can see the indexes you can search under "Selected search indexes"

View solution in original post

Influencer

HI,

just a shot in the dark, but is the new source in a different index? than it could be a permission thing, you might not have the permission to search that new index?

Check that in Access control in your role you can see the indexes you can search under "Selected search indexes"

View solution in original post

Motivator

Different indexes, I updated my original post so you can see the two indexes. Same app for both indexes, "SA-ExchangeIndex".

Where would I look to see if there's a permissions issue? My personal account has all permissions. I don't see "selected search indexes" anywhere

0 Karma

Influencer

Ok if you have the admin role thats probably not it.

But you can check in Settings->Access Control->Users , see what role your user has. Go back to Access Control and hit Roles, click on the Role name and scroll down to the bottom there should be a Indexes section

Indexes

Restrict this role's searches to the
specified index(es). Search results
for this role will only show events
from these indexes.
Admin should have all "internal and non-internal indexes"

0 Karma

Motivator

Fixed it! Thanks so much. I had enabled LDAP login for Splunk last week (co-enabled along with the HTTPS change mentioned) and my LDAP account name was the same as my Splunk account, so that account got overridden and my permissions were slightly less. Earlier today before posting I had gone through, assigned my account the permissions back, but then they got overridden automatically because of LDAP. I just created a new Splunk account that's not an LDAP account and assigned it all permissions. Boom. Thanks again! So it was permissions

0 Karma