Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk internal search

uagraw01
Motivator
‎11-02-2023 03:34 AM

Hello Splunkers!!

I am not getting any data in the internal index for the last 24 hours. Please let me know what will the cause behind it & what i need to check.

uagraw01_0-1698921195674.png

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2023 03:47 AM

Hi

Are you sure that you have access to _internal index? You could check it by

| rest /services/authentication/users splunk_server=local f=roles 
| search title="<YOUR SPLUNK ACCOUNT NAME>"
| fields title roles 
| join roles 
    [| rest /services/authorization/roles 
    | fields title srchIndexesAllowed srchIndexesDefault srchIndexesDisallowed 
    | dedup title 
    | rename title as roles
        ] 
| transpose

Just look what you have on allowed and disallowed rows.

r. Ismo 

0 Karma
Reply

uagraw01
Motivator
‎11-02-2023 03:59 AM

@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-02-2023 04:03 AM
Have you enough disk space for
1) creating those logs into disk
2) indexing those to _internal
0 Karma
Reply

uagraw01
Motivator
‎11-02-2023 04:08 AM

@isoutamo We have good storage for Splunk db.

 

uagraw01_0-1698923290729.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-02-2023 03:37 AM

Does your role have permissions to read the _internal index? Has this ever worked?

0 Karma
Reply

uagraw01
Motivator
‎11-02-2023 03:57 AM

@ITWhisperer  Yes, that why I specify last 24 hours 

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...