Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Indexes screen not showing Event counts and earliest latest details

KeithH
Path Finder
‎01-31-2021 07:18 PM

Hi,

I am new to splunk but have noticed that in the Settings- Indexes screen there are columns for these values:

  • Event Count
  • Earliest Event
  • Latest Event

These are very useful but one one particular installation I am supporting there are no values for these columns and the current size for all these indexes shows as 1MB.

Splunk version is 7.3.6

Any idea what could be causing this?

Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-01-2021 08:01 PM

Hi @KeithH,

On your search results "splunk_server" field shows "2". This means you have 2 indexers. If you check that field you can see indexers hostnames. 

Or you can try the below link to see your indexers;

https://splunk_address:port/en-US/manager/search/search/distributed/peers

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-31-2021 11:24 PM

Hi @KeithH,

if you have novalues in the indexes eventcount , this means tha tyou haven't events in that index.

The reason of this can be many:

at first are you viewing a Search Head, an Indexer cluster, an Indexer or a stand alone machine?

Then, how are you ingesting data in that index?

you should share some additional info.

Ciao.

Giuseppe

0 Karma
Reply

KeithH
Path Finder
‎02-01-2021 02:05 PM

Hi Giuseppe,

You are right I didn't put enough info in.  I am signing onto the main search head which is on the same box as Indexer 1 (of 2).  All the event count details are blank for all indexes but I can search on most of them and find very recent transactions.  See screenshots below

I am guessing that perhaps the search head (even though its on the same server) is a different instance from the indexer and perhaps I have to sign on to the indexers webpage to see these counts.  But that seems a bit daft and I dont know what the url for the indexer would be.

Any other suggestions?

KeithH_0-1612216656853.pngKeithH_1-1612216803353.png

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...