Knowledge Management

How to fix misleading "What to search"/Data Summary in Search & Reporting?

Path Finder

I have been working with new inputs for a testing environment and I noticed that one point the Data Summary said that there are 10 events indexed with the earliest and latest event being 2 months ago. At first I thought that the data indexed had been erased, but after checking some custom dashboards, executing searches, and checking the server's storage, all the data is still there. Why is the Data Summary not reflecting the reality of the amount of data indexed? It was working fine earlier in the day and the only changes I did were in inputs.conf and props.conf, I didn't change the configuration of the server or the indexes.

Running 7.3.4 on a single-instance deployment.

Labels (1)
Tags (1)
0 Karma
1 Solution

Path Finder

I don't know what triggered this issue to occur, but going into Settings > Users and Authentication > Access Controls > Roles and under any of the roles enabling "All non-internal indexes" as a Default fixes this.

View solution in original post

0 Karma

Path Finder

I don't know what triggered this issue to occur, but going into Settings > Users and Authentication > Access Controls > Roles and under any of the roles enabling "All non-internal indexes" as a Default fixes this.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

One possibility is that you may have temporarily had an indexer off line.

0 Karma

Path Finder

I am able to search logs in the past 5 minutes with no issue and Data Summary still shows 10 events from 2 months ago.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!