Can you help me with the issue which I caught a couple days ago and I still couldn't resolve?
A couple days ago I tried to check my license status but I didn't do it because Splunk said that the data wasn't found.
When I tried to find result manually by doing a search request, I found that system indexes didn't have any events. After that, I checked settings and found that all indexes were disabled and I couldn't enabled through Splunk Web.
I also checked splunkd.log and didn't find any Errors which might be related to my issue.
There is only this ERROR state
ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="mystrategy
I did restart and passed all checks without any troubles.
I ran splunk btool check --debug to find something strange but didn't find anything.
After that, I had been observing folders for sometime which were used to internal indexes and detected that Splunk still was writing data.
I tried to enable an index by editing indexes.conf and putting to them disabled flag.
After restart Splunk showed me that the index had been enabled but there still wasn't any event there.
As a result I couldn't resolve the issue described above by editing conf files and cheking splunkd.log but I had to review data from the internal indexes to evaluate license for some period of time. That's why I saved all my conf files, left indexes, and after re-installed Splunk. I copied all my conf files and started Splunk service again and the Miracle occurred, Splunk started monitoring all indexes correctly.
Also As I found early Splunk had been continuing of writing all system events and I am able to check all data for this period now.
Hi @nryagin - Did this answer you posted provide a working solution for you? If yes and you would like to close out this question, please click "Accept" below your answer. Thank you.