Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Can't query index=_internal

sittipornbaycom
Observer
โ€Ž11-28-2019 10:56 PM

Hi

We can't search log index=_internal _audit _introspection
We setup role select indexes "All non-internal indexes" and "All internal indexes" but can't see log _internal

Thanks

Regards

Labels (1)
Labels
0 Karma
Reply

rkyadav
Path Finder
โ€Ž11-29-2019 12:33 AM

HI,
You can look into Authorize.conf for these -
srchIndexesDefault = _internal
srchIndexesAllowed= _internal

if still issue persist , You can look for something in splunkd.log that can help tell you where the problem is by using ERROR keyword.
CLI- grep ERROR $SPLUNK_HOME/var/log/splunk/splunkd.log

Reply

dave_null
Explorer
โ€Ž11-29-2019 12:08 AM

What is your search query? Are you seeing anything when searching "index=_internal"?

0 Karma
Reply

sittipornbaycom
Observer
โ€Ž11-29-2019 07:52 PM

What is your search query?
index=_internal
Are you seeing anything when searching "index=_internal"?
I'm not see anything

0 Karma
Reply