Splunk Enterprise

With data not indexing, what are other steps to follow to get data in index XYZ?

Santosh2
Observer

Index=XYZ  source= abc*.logs host=kfg 

So I when I checked in internal index data is coming from host, I checked forwarder server class mapping is fine, I could see the data is deploying. But still cannot see data.

What other steps i need to follow to get data in index XYZ

 

Labels (1)
Tags (1)
0 Karma

gcusello
Legend

Hi @Santosh2,

maybe the timestamp isn't correctly parsed, try to search something special of your logs in a very large time period.

Then, if you're searching logs in the first 11 days of the month, try to search the 1st of may (01/05/2022) at the 5th of january (05/01/2022).

Then, are you sure about index?

then, try to add an asterisk at the beginning of the source, maybe there's the full path and/ot an asterisk at the end of host, maybe there's the FQDN name instead of the hostname.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...