Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why are all my indexes disabled but Splunk is still writing data?

nryagin
Explorer
‎12-02-2016 02:29 AM

Hello colleagues,

Can you help me with the issue which I caught a couple days ago and I still couldn't resolve?

A couple days ago I tried to check my license status but I didn't do it because Splunk said that the data wasn't found.
When I tried to find result manually by doing a search request, I found that system indexes didn't have any events. After that, I checked settings and found that all indexes were disabled and I couldn't enabled through Splunk Web.

alt text

I also checked splunkd.log and didn't find any Errors which might be related to my issue.
There is only this ERROR state ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="mystrategy
I did restart and passed all checks without any troubles.
I ran splunk btool check --debug to find something strange but didn't find anything.

After that, I had been observing folders for sometime which were used to internal indexes and detected that Splunk still was writing data.
I tried to enable an index by editing indexes.conf and putting to them disabled flag.
After restart Splunk showed me that the index had been enabled but there still wasn't any event there.

Preview file
13 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nryagin
Explorer
‎12-05-2016 12:59 PM

As a result I couldn't resolve the issue described above by editing conf files and cheking splunkd.log but I had to review data from the internal indexes to evaluate license for some period of time. That's why I saved all my conf files, left indexes, and after re-installed Splunk. I copied all my conf files and started Splunk service again and the Miracle occurred, Splunk started monitoring all indexes correctly.
Also As I found early Splunk had been continuing of writing all system events and I am able to check all data for this period now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nryagin
Explorer
‎12-05-2016 12:59 PM

As a result I couldn't resolve the issue described above by editing conf files and cheking splunkd.log but I had to review data from the internal indexes to evaluate license for some period of time. That's why I saved all my conf files, left indexes, and after re-installed Splunk. I copied all my conf files and started Splunk service again and the Miracle occurred, Splunk started monitoring all indexes correctly.
Also As I found early Splunk had been continuing of writing all system events and I am able to check all data for this period now.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-05-2016 02:48 PM

Hi @nryagin - Did this answer you posted provide a working solution for you? If yes and you would like to close out this question, please click "Accept" below your answer. Thank you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...