I am a splunk novice.
Https://answers.splunk.com/answers/522405/why-is-there-no-data-in-my-summary-index.html
URL of the file or not resolved.
Description: I created a Splunk cluster and created a lot of alert strategies on my search server. Some alerts open the summary index, and the summary index name is "alerts", I confirm that the alerts are the existing . And I'm sure a lot of alert have been triggered. But I'm running "index = alerts" on the search server. Return empty And I got this information on the search server's WEBUI: "Received event for unconfigured / disabled / delted ...." as shown below:
Question: Why is my summary index no data written? Is there a problem with my configuration?
Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.
Can you run the below query and verify if the index is created on your indexers?
| eventcount summarize=false index=alerts
Verify if all your indexers are listed here.
Try restarting the indexers also once.
result is 0 . What should I do next?
Have you enabled data forwarding on the search head to send the indexed data to the indexers? You can enable event forwarding on the serch head going to settings > forwarding and receiving > configure forwarding > add your two indexers. This way the data that you asked to index on the search head will be forwarder to the indexers and will get indexed.
This is a cluster