Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

new index not accepting data

damucka
Builder
‎08-04-2020 07:33 AM

Hello,

I am not able to get my data into the newly created "varlog" index. The index is an event index and active in the system. I am not able to see any issues with it. I have the following inputs.conf stanza:

 

[default]

host = ccd03v005084

[monitor:///var/log/*]

index = varlog

disabled = 0

interval = 15

sourcetype = syslog

 

Interesting, when I change "varlog" with "main" I am getting the data into the "main".

Can it be, that this is due to the Splunk Enterprise Trial license that I am using? Would the trial license allow creation and data indexing in the new indexes?

If not, how would I investigate it further? There is no sign of any problems neither in the splunkd.log of the forwarder nor anywhere else I checked.

Kind Regards,

Kamil

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-04-2020 08:44 AM

Hi @damucka,

in general, there isn't any reason because logs aren't stored in varlog index, and they are correctly stored in main index.

Could you share the indexes.conf where is defined the varlog index?

Check if the name is correct and if the folder are correctly created in file system.

The trial license has no affects on your problem.

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-04-2020 08:44 AM

Hi @damucka,

in general, there isn't any reason because logs aren't stored in varlog index, and they are correctly stored in main index.

Could you share the indexes.conf where is defined the varlog index?

Check if the name is correct and if the folder are correctly created in file system.

The trial license has no affects on your problem.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎08-05-2020 03:57 AM

The name is correct and the folders are there ....

The only thing is, that this is the Kubernetes cluster so I am not sure how the interaction here is.

0 Karma
Reply
Solved! Jump to solution

aashiqwork
Explorer
‎08-06-2020 04:21 AM

Go to the Search Head and search with the below search (Make sure you have rights to see internal indexes data):

index=_internal | dedup host | fields host | table host

Look in the list to see if your Forwarder’s hostname is in the list, if it is present that means the Forwarder is connected. 

0 Karma
Reply
Solved! Jump to solution

aashiqwork
Explorer
‎08-04-2020 09:24 AM

Does your varlog index has necessary permissions for indexing the data.

 

Thanks

A

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎08-05-2020 03:59 AM

@aashiqwork 

Could you please more precisely specify where would I find the setting to permit my "varlog" index the indexing?

I thought naively if I create it in the "search" app context it would accept whatever comes ...

Kind Regards,

Kamil

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...