Splunk version 6.3.3
I have seven Windows clients and I'm not sure why my data appeared on the Data Summary tab for about 5 minutes then it all disappeared. As soon as the systems were installed I saw ~ 15,000 records on the Data Summary tab. Now I can only see two clients and only the CPU and memory data from those hosts. On the Summary Tab I see about 1,500 records.
Something has changed from the older versions where you simply install the forwarder.. add the server name and port 9997. ...and BAM... your done.
Is there a way to get this version to perform like the older 5.x versions? I'm actually thinking about falling back to the older versions.
How do you know which index your clients are sending its data too? For example, I want everything to go to the "main" database so it's easy to find and search.
If you have not specified index name in inputs.conf of your forwarders, all data would flow to main by default.
You can check index=internal splunkserver=* | stats count by host to check which all hosts are sending data to your indexer.
I don't know why summary and actual is different, may be the settings were overwritten? Do you have a deployment server in your architecture?
I have this same question as it seems to happen on basic default single instance installs. If one adds data, say TCP or UDP or API via Data Inputs page, the data comes in to the assigned index that was created. It can be searched, yet its like Splunk doesn't bother to create an inputs.conf file for you.
Why is this and why is the data coming in to this single index, I'm the only user as admin and I can't see more than the main index (if that's why data summary is blank). There have been no real solid answers I could find on this forum to answer such a basic question. Forget any forwarders, forget any complexity to this question
1 data source
1 single instance
1 host appears with index=internal splunkserver=* | stats count by host (which is server splunk is installed on and source types are all but the one defined by the installed TA and used by the searchable index). So that means the data is coming in as per "Getting Data In" but why is it not in the Data Summary (I know it will be if I forward it but what if there are no forwarders as in my lab case, you can't put a forwarder on mobile devices)?
I know brownie points were handed out this year and I've observed the forums going shifting to advanced topics and never answering these so I hope someone will be kind enough to answer this basic question.
@brian1tate you have to make sure that `internal
is added as theIndexes searched by default
from theSettings > Access Controls
for it to be picked up by [metadata] command. By default, theindex searched by default
setting for admin ismain
index only. However, since admins haveAvailable search indexes
set to bothall internal and non internal` indexes stats command would still work to pull stats from _internal index.
If you run the following command and do not get any results then there is no default index set.
| metadata type=sourcetypes
If you run the following command (search all internal indexes is specified explicitly through
index=_* ) and you get results that means you have access to search internal indexes, they are not set as default indexes. You would need to correct the
Index Searched By Default setting for the specific role from
Settings > Access Controls
| metadata type=sourcetypes index=_*
Refer to the following blog as you can also run Metada Command to create your own Summary Report of indexed event for each source/sourcetype/host : https://www.splunk.com/blog/2017/07/31/metadata-metalore.html
Hope this explains the details you are looking for! Kindly let us know if you need further information 🙂