Security

I can't see my data

Yann_T
Path Finder

I have installed splunk with an smtp apps.
While a few moments everythings was ok.
But since 7 days I can't see my data. The only thing I did was activate my new lincense. But it was about 6 days before today.
My data are stored in a specific index but I'm far from the max size limit.
What could be happened ?

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

The problem appears to be that your user's role isn't searching the relevant indexes by default - then the display at the start will not see those events.

Edit your user's role to search all non-internal indexes by default if you want to change that, just remember that a search for "foo" will then search through all indexes.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The problem appears to be that your user's role isn't searching the relevant indexes by default - then the display at the start will not see those events.

Edit your user's role to search all non-internal indexes by default if you want to change that, just remember that a search for "foo" will then search through all indexes.

0 Karma

Yann_T
Path Finder

Thank you a lot

0 Karma

mycloudsplunk
New Member

Can you please tell me how to edit user's role to search all non-internal indexes?
@martin_mueller @Yann_T

0 Karma

Yann_T
Path Finder

Thank you when I add a filter I have my data. But I always see in the main page LAST EVENT : 8 days ago ?
I don't know why

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Add a filter like index=thatindex. Depending on your user's role you're only searching some indexes by default.

Yann_T
Path Finder

Ok so I can see that I have events in my indexer.
But when I try to catch out them with a simple "*" I don't have anything

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The indexing views can tell you if anything is being indexed, and into what index, to confirm if anything is coming in or not.

Yann_T
Path Finder

how can I see what's going wrong with SoS ? I can see a lot of things but for example I can't see anything in "Warnings and errors"

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Sounds like you're trying to tell Splunk to listen to data coming in on port 80, but binding to that port failed. Common reasons are either lack of permissions due to not being run as root, or already bound ports due to in this case an existing HTTP server.

0 Karma

Yann_T
Path Finder

I have the ERROR : tcpinputproc : could not bind to port IPV4 port 80

do you know what is it ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Those errors could be telling you something about what's going wrong.

The beauty of SoS is that you can see at a glance what amount of data is going where at what point in time, without having to crawl through the _internal index yourself.

0 Karma

Yann_T
Path Finder

I installed SoS app but how can it help me ? I don't see anything wrong at this time.
But I can see some errors in my logs

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Grab a copy of the SoS app for debugging: http://apps.splunk.com/app/748/

grijhwani
Motivator

What platform are you running on? (Windows, version/Linux, distro)

What is the search string you are using?

What do you see in ${SPLUNK_HOME}/var/log/splunk/splunkd.log and ${SPLUNK_HOME}/var/log/splunk/web_access.log

Checking your licence (or license if you are American), are the details correct?
Manager -> Licensing

0 Karma

Yann_T
Path Finder

I am running a linux platform "centOs 6"

I just used "*" as search string in last 24 hours.

On the start page of my own apps I can see 2,527,605 Events INDEXED and LATEST EVENT : 7 days ago.

In my splunkd.log I have some errors notified many times

splunkd.log :

03-26-2014 13:07:38.038 +0100 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/snmp_ta/bin/snmp.py" No SNMP response received before timeout snmp_stanza:snmp://snmp_user_ssid snmp_destination:10.1.1.250 snmp_port:161

03-27-2014 11:06:14.625 +0100 WARN ExecProcessor - Streaming XML data: Received an event with missing or empty "data" tag.

03-27-2014 12:09:41.981 +0100 ERROR databasePartitionPolicy - insufficient privileges to perform this operation
03-27-2014 12:09:42.588 +0100 ERROR StreamingDeleteOperator - Error in 'delete' command: You have insufficient privileges to delete events.

04-09-2014 23:23:11.925 +0200 WARN DateParserVerbose - A possible timestamp match (Tue May 10 10:20:57 2005) is outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE. Context: source::snmp://userRxData|host::10.1.1.250|logsnmp_userRxData|0

And for my licence all details are correct (I'm french)

Thank you for your help

0 Karma

grijhwani
Motivator

You probably need to provide more detail of the search you are using.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...