Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search head not writing to internal or summary indexes

pj
Contributor
‎10-18-2010 05:46 PM

We recently migrated a search head off an indexer onto a dedicated server. However it would seem that none of the internal (e.g. _internal, _audit) or default summary (e.g. summary) indexes are being written to. There is plenty of disk space assigned, so that does not seem to be the issue.

We only migrated over the users, apps and searches, not the indexes.

We did edit the inputs.conf file to not log var logs as this was causing the license to go over (as we dont have an indexing license for the search head - we are simply using the forwarder license as documented for search head implementation).

Any ideas what might be up? Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎10-26-2010 05:45 PM

A Splunk Support case was logged for this issue.

Summary indexing was not occurring on the search head due to an incorrect entry in $SPLUNK_HOME/etc/system/local props.conf which sent the summary index's stash files to the nullqueue.

Removed in props.conf the stanza

[stash]
TRANSFORMS-set = setnull

When you run a saved search with summary indexing turned on, its search results are temporarily stored in a file ($SPLUNK_HOME/var/spool/splunk/<savedsearch_name>_<random-number>.stash). There should not be a need to manipulate these temporary stash files.

For further reference on summary indexing and backfill summary data gaps refer to the following: http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing?r=searchtip http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Managesummaryindexgapsandoverlaps.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ellen
Splunk Employee
Splunk Employee
‎10-26-2010 05:45 PM

A Splunk Support case was logged for this issue.

Summary indexing was not occurring on the search head due to an incorrect entry in $SPLUNK_HOME/etc/system/local props.conf which sent the summary index's stash files to the nullqueue.

Removed in props.conf the stanza

[stash]
TRANSFORMS-set = setnull

When you run a saved search with summary indexing turned on, its search results are temporarily stored in a file ($SPLUNK_HOME/var/spool/splunk/<savedsearch_name>_<random-number>.stash). There should not be a need to manipulate these temporary stash files.

For further reference on summary indexing and backfill summary data gaps refer to the following: http://www.splunk.com/base/Documentation/latest/Knowledge/Usesummaryindexing?r=searchtip http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Managesummaryindexgapsandoverlaps.

Reply
Solved! Jump to solution

pj
Contributor
‎10-18-2010 08:38 PM

No worries, it appears, we had an outputs.conf file containing, amongst others, the following lines:

[tcpout:lb]
indexAndForward = false
server = index.myserver.com:9997
autoLB = true
forwardedindex.0.whitelist = .*
forwardedindex.1.whitelist = _.*
forwardedindex.2.whitelist = _audit
forwardedindex.3.whitelist = _internal
forwardedindex.filter.disable = false

We deleted the outputs.conf file as we are not sending data anywhere and the indexes started repopulating on the search head. THe forwarder app was disabled, so not sure why this outputs.conf would make a difference.

Reply
Solved! Jump to solution

tpsplunk
Communicator
‎10-31-2011 10:41 AM

it looks like the $SPLUNK_HOME/etc/system/default/outputs.conf also has those same forwardedindex whitelist/blacklist lines. do you have another outputs.conf that overrides the system/default and allows _internal index data to be forwarded to your indexers? I presume you didn't delete the system/default/outputs.conf?

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎10-18-2010 05:50 PM

If you have enabled the forwarder app, that could turn off local indexing. You can check which apps are enabled by running the following command:

/opt/splunk/bin/splunk display app
0 Karma
Reply
Solved! Jump to solution

pj
Contributor
‎10-18-2010 06:05 PM

Forwarder app is disabled.

SplunkForwarder UNCONFIGURED DISABLED INVISIBLE
SplunkLightForwarder UNCONFIGURED DISABLED INVISIBLE

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...