I am taking the Pluralsight tutorial. I have followed all the steps very carefully in the "Demo: Getting Data into Splunk" video. I first run into trouble about two minutes in. I uploaded the logfile successfully and successfully set the source type as access_combined_wcookie. My Event Break and Timestamp settings are the same as what is shown in the video. But in the large viewing window to the right, mine says "No results found. In the video there are Times and Events in this pane.
I thought that perhaps I just needed to follow all the steps through to see Times and events, so I created the new index, as per the tutorial, and submitted successfully. But then I got the same "No Results Found" message on the New Search screen. I should note that the only difference between me and the tutorial video is that in the bar underneath the words "New Search," the host = my computer's name instead of "thenson-desktop."
What do I need to do to see results?
What happens if you search:
index=*
...and set the time to "All Time"?
This search should get all non-hidden logs in your Splunk indexes. Hopefully you get logs from several sourcetypes, and you can click on the sourcetypes in the fields column on the list and hopefully find the one you specified when you onboarded your logs.
If your sourcetype does not appear, then it is likely that something went wrong with the onboarding.
Pluralsight is an external entity. We don't know each and every training on Splunm that is out there. We don't know what the video shows, what is the scope of the training and whatever "the window to the right" is. Is it a real Splunk interface or some mockup? How are we supposed to know that?
I'm using Splunk Enterprise, version 9.2.2, not a mockup.
I'm just using a logfile that I got from the Pluralsight website.
I opened the file and looked at it before I uploaded it, and it appeared to be the same file being used in the training. The numbers in the file matched what I saw in the video.
After I clicked the submit button to upload the file, I got a "success" message, so I believe it worked, but is there some way to see the file after I uploaded it to make sure it's correct?
Ahh. OK. That wasn't clear. I thought that maybe there's some "practice" environment with that training.
Anyway, you can look for your data by doing either what @marnall said or do a quick summary
| tstats count min(_time) as earliest max(_time) as latest where index IN (*,_*) by index sourcetype
| convert ctime(earliest) ctime(latest)
to see when and where your data is. (the underscore-beginning Splunk's internal indexes are just to show you what it should look like).
Run this search over All Time
Check that the timeframe for the search covers the times your events have been timestamped with (or simply use all time).
Thank you, but I am already using All Time. I've tried to follow the tutorial as closely as possible, and I think I've been successful in that, which is why this "No Results Found" is so confounding.