I have build a new Splunk 5.0 server to be a search head and indexer.
I have one forwarder sending logs.
When I go to the Search Summary page it shows nothing.
All indexed data(window)
Events indexed N/A
Earliest event N/A
Latest event N/A
Sources (≥ 0)
Hosts (≥ 0)
Source types (≥ 0)
If I do a simple search, "index=
I have created indexes to separate the logs by type.
After a little research and chat with other Splunkers, I was told it might be related to metadata?
The command on the search prompt returns nothing.
| metadata type=hosts
I need some help.
A short term fix could be to edit the xml of the dashboard ($SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
) and add the index to each search call there.
I was also thinking that this could be a role based issue. If you use roles and don't search the internal indexes by default, it might not return valid summary data.
A short term fix could be to edit the xml of the dashboard ($SPLUNK_HOME/etc/apps/search/default/data/ui/views/dashboard_live.xml
) and add the index to each search call there.
I was also thinking that this could be a role based issue. If you use roles and don't search the internal indexes by default, it might not return valid summary data.
sowings! YOU ROCK. That did the trick!
It's probably the case that the role for your user identity does not search those indexes by default. Try adding the <indexname> to the list of default indexes (Manager -> Access Controls -> Roles) and see if the summary page's contents change.