Getting Data In

Why is the data from my forwarders not showing up in the Splunk Web Data Summary in Splunk 6.3.3?

hartcl1
Explorer

Splunk version 6.3.3

I have seven Windows clients and I'm not sure why my data appeared on the Data Summary tab for about 5 minutes then it all disappeared. As soon as the systems were installed I saw ~ 15,000 records on the Data Summary tab. Now I can only see two clients and only the CPU and memory data from those hosts. On the Summary Tab I see about 1,500 records.

Something has changed from the older versions where you simply install the forwarder.. add the server name and port 9997. ...and BAM... your done.

Is there a way to get this version to perform like the older 5.x versions? I'm actually thinking about falling back to the older versions.

How do you know which index your clients are sending its data too? For example, I want everything to go to the "main" database so it's easy to find and search.

brian1_tate
Path Finder

I have this same question as it seems to happen on basic default single instance installs. If one adds data, say TCP or UDP or API via Data Inputs page, the data comes in to the assigned index that was created. It can be searched, yet its like Splunk doesn't bother to create an inputs.conf file for you.

Why is this and why is the data coming in to this single index, I'm the only user as admin and I can't see more than the main index (if that's why data summary is blank). There have been no real solid answers I could find on this forum to answer such a basic question. Forget any forwarders, forget any complexity to this question

1 user
1 data source
1 single instance
1 host appears with index=_internal splunk_server=* | stats count by host (which is server splunk is installed on and source types are all but the one defined by the installed TA and used by the searchable index). So that means the data is coming in as per "Getting Data In" but why is it not in the Data Summary (I know it will be if I forward it but what if there are no forwarders as in my lab case, you can't put a forwarder on mobile devices)?

I know brownie points were handed out this year and I've observed the forums going shifting to advanced topics and never answering these so I hope someone will be kind enough to answer this basic question.

Thank you.

0 Karma

niketn
Legend

@brian1_tate you have to make sure that _internal is added as the Indexes searched by default from the Settings > Access Controls for it to be picked up by metadata command. By default, the index searched by default setting for admin is main index only. However, since admins have Available search indexes set to both all internal and non internal indexes stats command would still work to pull stats from _internal index.

If you run the following command and do not get any results then there is no default index set.

| metadata type=sourcetypes

If you run the following command (search all internal indexes is specified explicitly through index=_* ) and you get results that means you have access to search internal indexes, they are not set as default indexes. You would need to correct the Index Searched By Default setting for the specific role from Settings > Access Controls

| metadata type=sourcetypes index=_*

Refer to the following blog as you can also run Metada Command to create your own Summary Report of indexed event for each source/sourcetype/host : https://www.splunk.com/blog/2017/07/31/metadata-metalore.html

Hope this explains the details you are looking for! Kindly let us know if you need further information 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

meenal901
Communicator

Hi,

If you have not specified index name in inputs.conf of your forwarders, all data would flow to main by default.
You can check index=_internal splunk_server=* | stats count by host to check which all hosts are sending data to your indexer.

I don't know why summary and actual is different, may be the settings were overwritten? Do you have a deployment server in your architecture?

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...