- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I click the Indexes and Volumes>volume_detail_instance,the page has no data to display,and it tips 'Search is waiting to type'. Anyone who can help me solve this problem,thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Index volumes are a Splunk concept, not specific to Windows or Linux. They make it easier for several indexes to share the same storage space. For instance, instead of specifying a size limit for each index you give one size limit (perhaps the disk size minus some margin) for all of them. Before we had volumes, each index would be assigned some fraction of the available disk space and the admin would have to hope he guessed right about how much each index needed.
You can read more about index volumes in $SPLUNK_HOME/etc/system/README/indexes.conf.spec and at https://docs.splunk.com/Documentation/Splunk/8.2.5/Indexer/Configureindexstoragesize
Don't, however, create volume(s) just to populate a dashboard that you otherwise don't need.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


A dashboard will display "Search is waiting for input" when undefined tokens are used in a panel. If your system is like mine then you don't have any volumes defined and so the "Volume" dropdown will not populate, preventing the dashboard from running searches.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much,my system is windows,so how should I define volumes.I do not know so much about volumes of windows or linux.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content


Index volumes are a Splunk concept, not specific to Windows or Linux. They make it easier for several indexes to share the same storage space. For instance, instead of specifying a size limit for each index you give one size limit (perhaps the disk size minus some margin) for all of them. Before we had volumes, each index would be assigned some fraction of the available disk space and the admin would have to hope he guessed right about how much each index needed.
You can read more about index volumes in $SPLUNK_HOME/etc/system/README/indexes.conf.spec and at https://docs.splunk.com/Documentation/Splunk/8.2.5/Indexer/Configureindexstoragesize
Don't, however, create volume(s) just to populate a dashboard that you otherwise don't need.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It hleps me a lot,I will read the document carefully to know more about index storage.Thank you very much.
