Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

cant search data in indexer

arsidiq
Loves-to-Learn Everything
‎04-24-2025 01:49 AM

i installed splunk in distributed management environment. furthermore, my indexer server got reboot and i can't query my data even though at index = _internal. whereas previously it was fine.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-28-2025 01:29 PM

First things first.

1. Does the splunkd process run on the indexer?

2. Does it listen on the 8089 port?

3. Can you reach indexer's 8089 port from the SH?

4. What does "splunk status" say on the indexer?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-24-2025 02:23 AM

Can you tell more about what and how you have done this installation and what kind of distributed environment you have?

Are the problematic node indexer, search head or something other node?

0 Karma
Reply

arsidiq
Loves-to-Learn Everything
‎04-24-2025 02:38 AM

first i have 3 different server (HF, SH, and IDX) and the distributed search is going to IDX. there an incident that idx server is shutting down and after i started and run the splunk services, i can't query any data. i try to query index = * and has no result.

0 Karma
Reply

arsidiq
Loves-to-Learn Everything
‎04-24-2025 02:40 AM

i think the problem itself in indexer node, but still cant find out why it can query splunk internal log

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-28-2025 10:31 AM

Have you check that those indexes are there and splunk is running there without issues?

Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too.

Check also if there is any issues with internal logs. You can query those from internal indexes like 

index=_internal log_level IN (error, warn)
0 Karma
Reply

kiran_panchavat
Champion
‎04-24-2025 02:16 AM

@arsidiq 

Refer this 

Solved: Why is no data being written to the _internal inde... - Splunk Community

Solved: Why is _internal index is disabled? - Splunk Community

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Champion
‎04-24-2025 02:12 AM

@arsidiq 

 
Verify that the search head can communicate with the indexer.
If it fails, check firewall rules or network issues. Ensure the indexer is listed in the search head’s distributed search configuration:
 
  • Splunk Web: Settings > Distributed Search > Search Peers.
  • Or check $SPLUNK_HOME/etc/system/local/distsearch.conf.
Check this on the indexer:-  tail -n 100 /opt/splunk/var/log/splunk/splunkd.log
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Champion
‎04-24-2025 02:03 AM

@arsidiq 

  • Ensure the indexer is running. Log into the indexer server and check Splunk's status: /opt/splunk/bin/splunk status
  • If Splunk is not running, start it: /opt/splunk/bin/splunk start
  • Confirm that the search head and other components can communicate with the indexer. Test connectivity using: ping <indexer_ip>
  • Verify that the Splunk management port (default: 8089) is open: telnet <indexer_ip> 8089
    Check the Splunk logs on the indexer for errors: /opt/splunk/var/log/splunk/splunkd.log
  • Look for issues related to indexing, disk space, or corrupted buckets. Common issues include: Disk full errors or Corrupted index buckets due to improper shutdown.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

arsidiq
Loves-to-Learn Everything
‎04-24-2025 02:07 AM

yups the indexer is running, and still cant quey any data after the server has been reboot

0 Karma
Reply

kiran_panchavat
Champion
‎04-24-2025 02:21 AM

@arsidiq 

Verify permissions for Splunk directories. If they've changed to root after a reboot, correct them with:

chown -R splunk:splunk /opt/splunk

Are you able to see the data for other indexes? 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

arsidiq
Loves-to-Learn Everything
‎04-24-2025 02:35 AM

already done this, since splunk has to run using user splunk sir so when i want to start the service i already change the permissions

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...