Solved: I can't see my data

Yann_T · ‎04-10-2014

I have installed splunk with an smtp apps.
While a few moments everythings was ok.
But since 7 days I can't see my data. The only thing I did was activate my new lincense. But it was about 6 days before today.
My data are stored in a specific index but I'm far from the max size limit.
What could be happened ?

martin_mueller · ‎04-11-2014

The problem appears to be that your user's role isn't searching the relevant indexes by default - then the display at the start will not see those events.

Edit your user's role to search all non-internal indexes by default if you want to change that, just remember that a search for "foo" will then search through all indexes.

View solution in original post

martin_mueller · ‎04-11-2014

The problem appears to be that your user's role isn't searching the relevant indexes by default - then the display at the start will not see those events.

Edit your user's role to search all non-internal indexes by default if you want to change that, just remember that a search for "foo" will then search through all indexes.

Yann_T · ‎04-17-2014

Thank you a lot

mycloudsplunk · ‎07-22-2019

Can you please tell me how to edit user's role to search all non-internal indexes?
@martin_mueller @Yann_T

Yann_T · ‎04-11-2014

Thank you when I add a filter I have my data. But I always see in the main page LAST EVENT : 8 days ago ?
I don't know why

martin_mueller · ‎04-11-2014

Add a filter like index=thatindex. Depending on your user's role you're only searching some indexes by default.

Yann_T · ‎04-11-2014

Ok so I can see that I have events in my indexer.
But when I try to catch out them with a simple "*" I don't have anything

martin_mueller · ‎04-11-2014

The indexing views can tell you if anything is being indexed, and into what index, to confirm if anything is coming in or not.

Yann_T · ‎04-11-2014

how can I see what's going wrong with SoS ? I can see a lot of things but for example I can't see anything in "Warnings and errors"

martin_mueller · ‎04-10-2014

Sounds like you're trying to tell Splunk to listen to data coming in on port 80, but binding to that port failed. Common reasons are either lack of permissions due to not being run as root, or already bound ports due to in this case an existing HTTP server.

Yann_T · ‎04-10-2014

I have the ERROR : tcpinputproc : could not bind to port IPV4 port 80

do you know what is it ?

martin_mueller · ‎04-10-2014

Those errors could be telling you something about what's going wrong.

The beauty of SoS is that you can see at a glance what amount of data is going where at what point in time, without having to crawl through the _internal index yourself.

Yann_T · ‎04-10-2014

I installed SoS app but how can it help me ? I don't see anything wrong at this time.
But I can see some errors in my logs

martin_mueller · ‎04-10-2014

Grab a copy of the SoS app for debugging: http://apps.splunk.com/app/748/

grijhwani · ‎04-10-2014

What platform are you running on? (Windows, version/Linux, distro)

What is the search string you are using?

What do you see in ${SPLUNK_HOME}/var/log/splunk/splunkd.log and ${SPLUNK_HOME}/var/log/splunk/web_access.log

Checking your licence (or license if you are American), are the details correct?
Manager -> Licensing

Yann_T · ‎04-10-2014

I am running a linux platform "centOs 6"

I just used "*" as search string in last 24 hours.

On the start page of my own apps I can see 2,527,605 Events INDEXED and LATEST EVENT : 7 days ago.

In my splunkd.log I have some errors notified many times

splunkd.log :

03-26-2014 13:07:38.038 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/snmp_ta/bin/snmp.py" No SNMP response received before timeout snmp_stanza:snmp://snmp_user_ssid snmp_destination:10.1.1.250 snmp_port:161

03-27-2014 11:06:14.625 +0100 WARN ExecProcessor - Streaming XML data: Received an event with missing or empty "data" tag.

03-27-2014 12:09:41.981 +0100 ERROR databasePartitionPolicy - insufficient privileges to perform this operation
03-27-2014 12:09:42.588 +0100 ERROR StreamingDeleteOperator - Error in 'delete' command: You have insufficient privileges to delete events.

04-09-2014 23:23:11.925 +0200 WARN DateParserVerbose - A possible timestamp match (Tue May 10 10:20:57 2005) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::snmp://userRxData|host::10.1.1.250|logsnmp_userRxData|0

And for my licence all details are correct (I'm french)

Thank you for your help

grijhwani · ‎04-10-2014

You probably need to provide more detail of the search you are using.

I can't see my data

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)