Splunk Search

Splunk 5.0 Search Summary page not showing any indexed logs, metadata related?

Path Finder

I have build a new Splunk 5.0 server to be a search head and indexer.
I have one forwarder sending logs.
When I go to the Search Summary page it shows nothing.

All indexed data(window)

Events indexed N/A
Earliest event N/A
Latest event N/A

Sources (≥ 0)

Hosts (≥ 0)

Source types (≥ 0)

If I do a simple search, "index=" I get results.

I have created indexes to separate the logs by type.
After a little research and chat with other Splunkers, I was told it might be related to metadata?

The command on the search prompt returns nothing.

| metadata type=hosts

I need some help.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

A short term fix could be to edit the xml of the dashboard ($SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml) and add the index to each search call there.

I was also thinking that this could be a role based issue. If you use roles and don't search the internal indexes by default, it might not return valid summary data.

View solution in original post

SplunkTrust
SplunkTrust

A short term fix could be to edit the xml of the dashboard ($SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml) and add the index to each search call there.

I was also thinking that this could be a role based issue. If you use roles and don't search the internal indexes by default, it might not return valid summary data.

View solution in original post

Path Finder

sowings! YOU ROCK. That did the trick!

0 Karma

Splunk Employee
Splunk Employee

It's probably the case that the role for your user identity does not search those indexes by default. Try adding the <indexname> to the list of default indexes (Manager -> Access Controls -> Roles) and see if the summary page's contents change.