Knowledge Management

Deleting the Input Data

splunkpoornima
Communicator

1.) I upload the Data to the splunk throught Summary\add more data..My data in the Summary Index is not there in Manager\Data inputs\files and directories.and even if i delete the data file in Manager\Data inputs\files and directories it was not getting reflected in the Summary ..Still it has all the data is visible in the summary index

2.) after i upload the data through summary\add new data i can the able to see the data file in
Manager\Data inputs\files and directories. but not able to see in Summary main

Plz Help

Tags (1)
0 Karma

MHibbin
Influencer

I think, trying to read the question above, the following is the answer...

I am assuming that you have configured a custom index for your data and you are wondering why the information is not appearing on the default landing page for the Search app (i.e. the summary view). The reason is that (on the assumption that you have configured data to send to a customer index) the summary view will only show data that is sent to the defualt index (i.e. "main").

Perhaps you can confirm this by copying your inputs.conf file into the previous question (via an edit).

I have not tried the following... however you can probably replicate the summary view to and "custom" summary view and add something like:

index=yourIndex

To each of the view's populating searches.

To find you data you will have set up a source/sourcetype (possibly using the defualts), you can use the search bar to search on these as follows (potentially adding the index in the command, as above):

source=yourSource
sourcetype=yourSourceType

You should substitute the "yourSource" and "yourSourceType" values with values relevant to your data (your can check these through the manager, or inputs.conf file)

Hope this helps

0 Karma

Drainy
Champion

I think you may be getting confused, or I might be getting confused. Its hard to tell.

Anyway, the Summary page of the search app is not equal to the summary index. If you add data via the summary page then just choose for it to drop into the "main" (default) index. It sounds like you have selected for it to go into the "summary" index, which is for something else altogether. (If you don't know what that is, then at the moment you don't need it 😉 ).

This then leads to why you don't see the data on the summary screen, even if you have it going into any index. The summary screen is only showing data going into the main index, so you need to either modify the XML to include other indexes or ensure your data is heading into the correct one!

Look here for details on how to do a bit of clean up 🙂
http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/RemovedatafromSplunk

yannK
Splunk Employee
Splunk Employee

about the summary page, it shows only the stats for the indexes that you can search on by default (usually the main index, see the roles for details on the list of the indexes)

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...