Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are my sourcetypes not loading any data?

henryf
Explorer
‎07-14-2023 11:05 AM

I have installed Splunk add on for AWS and created the inputs, which have a listed source type. However, when I try to search that source type, nothing comes up for the source. How can I fix this?

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2023 11:48 AM

Sourcetype is only one factor for finding indexed data.  You also must look in the right index(es) and in the right time window.

The AWS input should have specified an index name for the data.  If it doesn't then change it to do so.  You'll use that name to search for the data.  An input without an index specified will put data into the Last Chance index (usually "main" on-prem or "lastchanceindex" in Splunk Cloud).  If you search without specifying an index name then Splunk will search your default indexes (if any), which may or may not include the AWS index.

All Splunk data is time-sequenced.  If data is onboarded with the incorrect time then you'll have a difficult time finding it.  Verify the sourcetype's TIME_FORMAT and TIME_PREFIX settings match the data being ingested.  Expand the time window of your search using earliest=0 latest=+10y to see if the data is coming in with the right timestamps.

Of course, check the logs to make sure there are no errors getting the data from AWS.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

henryf
Explorer
‎07-14-2023 12:14 PM

index is default for all my inputs and I always start my searches with index=*

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2023 12:48 PM

It's a Best Practice to send inputs to specific indexes rather than allow them to default.

It's a poor practice to use index=* in a query.  Anything other than a dev/test query should use specific index names.

Are the timestamps being extracted correctly?

Have you checked the logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

henryf
Explorer
‎07-14-2023 01:04 PM

nothing is being extracted. How do You check the logs and how else would you suggest I search for what I am looking for?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-14-2023 05:54 PM

If nothing is being extracted then either data is not getting from AWS to Splunk or the sourcetype doesn't describe the data well enough for Splunk to extract fields.

Start with splunkd.log to confirm the input is working and to see if there are any problems reported about the input or the data itself.  You can view the log with this query (assuming you have access)

index=_internal source=*splunkd.log
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

henryf
Explorer
‎07-17-2023 06:19 AM

data loaded when I put in that search. I don't understand how this relates to my problem though, how do I view the inputs I want?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-17-2023 09:02 AM

The query displays Splunk's internal log so you can try to determine why your inputs are not producing data.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...