Solved: Re: How to troubleshoot why data is not being inde...

templier · ‎11-12-2014

Hello, i need help.

I have Splunk 6.2
It's sending data using a universal forwarder.
But on the server, I can only search by index=

And also if i go the Search & Reporting app, I see:
What to Search
Waiting for data...
And nothing... If I open Data Summary - it's empty

What do I do?
Thank you!

templier · ‎11-12-2014

Once again understood myself.
The problem was in the rights of users.

View solution in original post

lindbergh_calde · ‎12-02-2014

Hi

Just to Add to answer above. I too ran into the same issue. Splunk has done a few tweaks with the new version 6.2 and if you do not specify the index, the data cannot be searched successfully. hence to allow searching via sourcetype or etc.
Go to

1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and select the indexes you want to be included in your searches by default

This should work now.

Cheers

templier · ‎12-02-2014

Hello, Cheers.

Thank you for your answer.
I will add - if you have more indexes or they will be added you can add the following settings:
1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and "Indexes" and select parameter "all non-internal indexes"

Sergey

templier · ‎11-12-2014

Once again understood myself.
The problem was in the rights of users.

How to troubleshoot why data is not being indexed in Splunk 6.2?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation