"Waiting for data..." and cannot perform searches ...

joseph_hazlett · ‎06-30-2014

I recently contacted the Sales department to request a trial license to see if the Enterprise features were a good fit for what we use Splunk for. After I received the license, I installed it via the web interface, and restarted the Splunk service as required. Now, after the reboot, the Splunk interface is telling me that it is waiting for data and I can't perform any searches.

The license is correctly installed, it states that it can handle up to 10240MB/day, though I currently only use about 1MB per day. It has been working fine for the past few weeks aggregating data. It's only now that I installed the Enterprise license that my search and dashboards stopped working. I really just wanted to evaluate things like alerts and scheduled reporting, but now it's completely broken. I only have one user, the default admin user that comes with Splunk Enterprise.

Does anyone have any ideas as to why it would do this? Googling couldn't find any answers that solved my issue.

Thanks

ultimo · ‎09-02-2020

Spoiler

Hi, I can't perform any searches and i cant get any results. I am a mac user. I downloaded splunk for fundemantals 1. Do you happen to have any suggestion? Best.

markakirkland · ‎03-24-2017

ALCON,

This question registers, but, the answer doesn't really stand out. So, here it is:

Check the roles and indexes available to whichever user is trying to see data. For example, my admin user didn't see the windows data on my recent install and constantly said, "waiting for data." When I checked the role permissions to the index that I created... admin didn't have access by default. After adding the new index to the admin user, I then saw the number of indexed events on the search app "home," page.

Happy Splunking!

joseph_hazlett · ‎06-30-2014

Unintuitively, I had to go to Settings->Access Controls->Roles->Admin and add all my indexes, since none of them were added to the admin role by default.

rshoward · ‎01-26-2015

We found that adding the index to a new role and allowing the search results form that index as well was the best way to go in the long run... IF you are going to need to manage rbac by sourcetype etc down the road, adding index limits over search filter limits is slightly less overhead.

_josemi · ‎12-29-2016

Thank you joseph, indexes selection inside roles did the trick

joseph_hazlett · ‎06-30-2014

Thanks. I would have thought that should have happened automatically when installing the enterprise license, since before then, I didn't even need to log in, it just worked. I think I got it now, it at least tells me there are entries to search again.

gkanapathy · ‎06-30-2014

Was your previous version the Splunk "Free" version, or was it the Download Trial? it's a little confusing, but when you first download, you get a 60-day trial of the Enterprise, which then turns to "Free" if you don't add a new Enterprise (or Enterprise Trial) license. If you were previously on the Free version, I might check the access controls to see if your user has rights to the indexes containing your data.

"Waiting for data..." and cannot perform searches after installing Splunk Enterprise trial license.

license

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life