Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Events from new index are not showing up

kjohnsonzenimax
Explorer
‎10-04-2012 05:33 AM

I have inherited a fairly undocumented splunk deployment which looks as follows (splunk 4.3.2):

Forwarders -> 2x Heavy Forwarders -> 3x Indexers -> Search Head

I have added an index to the Search Head via the web interface and installed two forwarders with an inputs.conf as below:

[monitor:////opt/tld/glassfish/domains/tldcs/logs/feedback.log]
sourcetype = tld_gameplay
index = tld_gameplay

[monitor:////home/tldcs/web/apps/cstools/log/production.log]
index = customer_service

[monitor:////opt/tld/glassfish/domains/tldcs/logs/server.log]
index = customer_service

[monitor:////opt/tld/glassfish/domains/tldcs/logs/services.log]
index = customer_service

The issue is that I am not seeing any events in the web interface.

How can I debug this? What information do you need from me, so that I can help you? How can I verify that data is, or is not, even being received by the heavy forwarder, and then the indexers?

I am unclear whether I need to "add" the index somewhere else other than via the web interface.

Thanks,

Tags (1)
Reply

kjohnsonzenimax
Explorer
‎10-10-2012 10:27 AM

All that I had to do was restart the individual indexers, which the heavy forwarder was reporting to. After doing this, events began showing up in the search.

Reply

sowings
Splunk Employee
Splunk Employee
‎10-04-2012 01:06 PM

Adding the index on the web interface adds it to the search head's local filesystem. It doesn't add it on the indexers themselves. In a lot of cases, the web interface of the indexers is turned off, to save memory as it commonly isn't used in this kind of distributed environment. I'd suggest first going to the indexers (command line is OK) and issuing splunk list indexes to see if your indexers have this new one.

You could then add them directly to the indexes.conf, or temporarily spin up the Splunk UI on the indexers to be able to use the UI to add the index.

0 Karma
Reply

kjohnsonzenimax
Explorer
‎10-10-2012 10:24 AM

Hey, thanks for your answer. I have just checked the three indexers, running the command 'splunk list index' and have verified that the new index is listed on all three indexers.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...