Getting Data In

Why am I unable to see the forwarder but data is being received?

Engager

Hi,
I setup a forwarder on a linux server and setup Splunk to listen on port 9997 and I added the index name (cisco) I previously setup into the inputs.conf file.
On the Splunk indexer, if I search "index=cisco", I can see all my data.

However, my "Search" page is not displaying any "Hosts", any "Sources" and any "SourceTypes"....whereas I am receiving all data.

Any idea what is wrong ?
Philippe

0 Karma

SplunkTrust
SplunkTrust

here is in splunk enterprise, kindly assist with splunk light if its not equivalent:

alt text

alt text

0 Karma

SplunkTrust
SplunkTrust

search index=cisco | head
look on the left part of the screen
the 3 fields host, source, sourcetype supposed to be there

Engager

You are right Adonio, when I run this query I get this result.

What I meant the "Search" page which shows all Hosts added,...and the moment I have the message "No data has been added",,,,whereas I should have the hostname on my cisco device.

Any idea ?

0 Karma

SplunkTrust
SplunkTrust

you mean the data summary button?

0 Karma

Engager

I mean the default page when you open Splunk: you have a list of "Hosts" , then if you click "Sources" you can see all your sources are are being indexed and finally if you click on "Sourcetypes" you can see all your sources types

In this page, I do not have anything being displaying whereas I have data being received from a forwarder.

Is this clearer ?
Thanks

0 Karma

SplunkTrust
SplunkTrust

hmmm, just noticed the question is tagged as splunk light.
ill place some screenshots in an answer, hopefully the UI is similar but i am not 100% sure.
anyways, i think all you need is to click the data summary button

0 Karma