Splunk Search

Data indexed but not displayed in Search

Path Finder

Hi Team,

I have successfully indexed the data but it is not getting dispalyed in Search, dont know which settings i need to modify. I have checked in inputs.conf file also i have choosed option to continously monitor and index data. Please help me solution.

Tags (2)
1 Solution

Champion

How are you trying to search for it? Perhaps the best way to check would be to do a search for source=*FILENAME.CSV (case sensitive) over all time - this will show if it has been indexed or not, it could be that its assigned a timestamp based on a value within the CSV and stuck it somewhere in the past.

It should also be showing on the Search app summary page, is any data showing here? Its possible that it hasn't indexed it correctly, in which case we will have to start looking elsewhere..

View solution in original post

0 Karma

Champion

How are you trying to search for it? Perhaps the best way to check would be to do a search for source=*FILENAME.CSV (case sensitive) over all time - this will show if it has been indexed or not, it could be that its assigned a timestamp based on a value within the CSV and stuck it somewhere in the past.

It should also be showing on the Search app summary page, is any data showing here? Its possible that it hasn't indexed it correctly, in which case we will have to start looking elsewhere..

View solution in original post

0 Karma

Champion

As I said above, you need to use source=*FILENAME.CSV (case sensitive). Also, you didn't mention what you can see in the summary view on the search app?

0 Karma

Path Finder

Hi Mate,
My file name which i selected name was Call_Details.csv, i have given as source=call_details.csv but nothing displayed. But when i selected it showed successfully indexed, dont know where the prob is..
Else my scenario is to continously monitor a particular directory or file.. what steps i need to follow and my OS is Windows.. Do i need to update anything in inputs.conf file..?

0 Karma

Path Finder

hi Drainy, am trying to upload a .csv file from a directory and i want to keep on indexing when there is any change in the file,
step 1:
selected required file
Step2:
opted for "Continously index data..."
Source Type: Manual (CSV)
Index: Default
Once i have the done the seetings and saved its showing data indexed successfully but not able to see the file in search area..
How can i assign it to my role (steps plz)
Let me know if for any queries..

0 Karma

Champion

Could you give us some more info? such as your inputs... are you putting it into a new index? By default Splunk will only search the default (main) index so you need to add it to your role or to the search string to find the data.
When posting a question try to give as much information as possible, we can't see your setup so, "its not being displayed" doesn't give us much to go on 🙂

0 Karma