Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data indexed but not displayed in Search

pramodkumar
Path Finder
‎12-30-2012 11:05 PM

Hi Team,

I have successfully indexed the data but it is not getting dispalyed in Search, dont know which settings i need to modify. I have checked in inputs.conf file also i have choosed option to continously monitor and index data. Please help me solution.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎12-31-2012 01:35 AM

How are you trying to search for it? Perhaps the best way to check would be to do a search for source=*FILENAME.CSV (case sensitive) over all time - this will show if it has been indexed or not, it could be that its assigned a timestamp based on a value within the CSV and stuck it somewhere in the past.

It should also be showing on the Search app summary page, is any data showing here? Its possible that it hasn't indexed it correctly, in which case we will have to start looking elsewhere..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎12-31-2012 01:35 AM

How are you trying to search for it? Perhaps the best way to check would be to do a search for source=*FILENAME.CSV (case sensitive) over all time - this will show if it has been indexed or not, it could be that its assigned a timestamp based on a value within the CSV and stuck it somewhere in the past.

It should also be showing on the Search app summary page, is any data showing here? Its possible that it hasn't indexed it correctly, in which case we will have to start looking elsewhere..

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-31-2012 07:45 AM

As I said above, you need to use source=*FILENAME.CSV (case sensitive). Also, you didn't mention what you can see in the summary view on the search app?

0 Karma
Reply
Solved! Jump to solution

pramodkumar
Path Finder
‎12-31-2012 01:53 AM

Hi Mate,
My file name which i selected name was Call_Details.csv, i have given as source=call_details.csv but nothing displayed. But when i selected it showed successfully indexed, dont know where the prob is..
Else my scenario is to continously monitor a particular directory or file.. what steps i need to follow and my OS is Windows.. Do i need to update anything in inputs.conf file..?

0 Karma
Reply
Solved! Jump to solution

pramodkumar
Path Finder
‎12-31-2012 01:26 AM

hi Drainy, am trying to upload a .csv file from a directory and i want to keep on indexing when there is any change in the file,
step 1:
selected required file
Step2:
opted for "Continously index data..."
Source Type: Manual (CSV)
Index: Default
Once i have the done the seetings and saved its showing data indexed successfully but not able to see the file in search area..
How can i assign it to my role (steps plz)
Let me know if for any queries..

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎12-31-2012 12:41 AM

Could you give us some more info? such as your inputs... are you putting it into a new index? By default Splunk will only search the default (main) index so you need to add it to your role or to the search string to find the data.
When posting a question try to give as much information as possible, we can't see your setup so, "its not being displayed" doesn't give us much to go on 🙂

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...