I recently contacted the Sales department to request a trial license to see if the Enterprise features were a good fit for what we use Splunk for. After I received the license, I installed it via the web interface, and restarted the Splunk service as required. Now, after the reboot, the Splunk interface is telling me that it is waiting for data and I can't perform any searches.
The license is correctly installed, it states that it can handle up to 10240MB/day, though I currently only use about 1MB per day. It has been working fine for the past few weeks aggregating data. It's only now that I installed the Enterprise license that my search and dashboards stopped working. I really just wanted to evaluate things like alerts and scheduled reporting, but now it's completely broken. I only have one user, the default admin user that comes with Splunk Enterprise.
Does anyone have any ideas as to why it would do this? Googling couldn't find any answers that solved my issue.
This question registers, but, the answer doesn't really stand out. So, here it is:
Check the roles and indexes available to whichever user is trying to see data. For example, my admin user didn't see the windows data on my recent install and constantly said, "waiting for data." When I checked the role permissions to the index that I created... admin didn't have access by default. After adding the new index to the admin user, I then saw the number of indexed events on the search app "home," page.
Unintuitively, I had to go to Settings->Access Controls->Roles->Admin and add all my indexes, since none of them were added to the admin role by default.
We found that adding the index to a new role and allowing the search results form that index as well was the best way to go in the long run... IF you are going to need to manage rbac by sourcetype etc down the road, adding index limits over search filter limits is slightly less overhead.
Thank you joseph, indexes selection inside roles did the trick
Thanks. I would have thought that should have happened automatically when installing the enterprise license, since before then, I didn't even need to log in, it just worked. I think I got it now, it at least tells me there are entries to search again.
Was your previous version the Splunk "Free" version, or was it the Download Trial? it's a little confusing, but when you first download, you get a 60-day trial of the Enterprise, which then turns to "Free" if you don't add a new Enterprise (or Enterprise Trial) license. If you were previously on the Free version, I might check the access controls to see if your user has rights to the indexes containing your data.