Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Data indexed but not displayed in Search in splunk enterprise

samsingnok52
Engager
‎12-06-2017 07:24 AM

Hi Team,

I have successfully indexed the data but it is not getting displayed in Search, don't know what has gone wrong. Its a file-upload(one time indexing) type of data input configuration and i have created a new index for that particular file and a new sourcetype also.
I could able to see the logs while configuring the event breaking and timestamp format, but when i am searching for that particular index and sourcetype , i couldnt able to find any logs in the search head.
Kindly help me to identify the issue.

Its seems like a strange issue as iam experiencing it in even after two times reinstallation of splunk enterprise in my linux testing server.

Note: iam not experiencing this issue in any of the another linux server.

0 Karma
Reply

baldwintm
Path Finder
‎12-13-2017 04:06 PM

You could run a metadata search to see what time stamp is on the earliest and latest event.

| metadata type=sourcetype index=*

0 Karma
Reply

DalJeanis
Legend
‎12-08-2017 11:21 AM

I would be checking index _internal for messages showing how much data was indexed. If it doesn't show it, then it wasn't indexed. If it does show it, then you will be able to see WHERE it was indexed.

One possibility is that the user account you are using does not happen to have security access to that index.

0 Karma
Reply

niketn
Legend
‎12-06-2017 11:03 PM

@samsingnok52, would it be possible to give couple of mocked up rows from your file that you are trying to index. Please ensure to Anonymize/Mock any sensitive information. Also if possible the props.conf that you currently have.

Also have you checked index whether there are any events present. You can also use eventcount, tstats, dbinspect or metadata commands for this.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

samsingnok52
Engager
‎12-08-2017 03:19 AM

Hi Niket,

Thanks for your comments.I will try and revert back.
As of now , I have reinstalled the splunk enterprise and trying from the scratch.....

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2017 08:40 AM

Try expanding the time window to All Time. That will account for possible timestamp problems causing events to be indexed in the "future".

---
If this reply helps you, Karma would be appreciated.
Reply

samsingnok52
Engager
‎12-06-2017 10:43 PM

i did searched for all time, but still couldnt able to find anything

0 Karma
Reply

teunlaan
Contributor
‎12-13-2017 03:44 AM

searching "all time" is "everthing in the past till NOW".
You need to select the date in the future, like @d+10y

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...