Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why can't I see data in the Search App's "Data Summary", but the data is searchable?

baxiani
Explorer
‎04-17-2015 04:52 AM

Hi all,

I monitor files on a heavy forwarder and use different sourcetypes and hosts for each file, but one common index.
On the search head, I can search this data, but I am not able to see these hosts and sourcetypes in search app "Data Summary"

Do you know why?

Tags (3)
0 Karma
Reply

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎01-23-2019 11:50 PM

@ngatchasandra is correct, the "Data Summary" in the Search & Reporting App is based on data for the configured default index, which is "main" by default.

If you wish to do a search that shows the same data as the "Data Summary", you can do the following:

| metadata index=<YOUR INDEX> type=<hosts, sources or sourcetypes>
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename <host, source, or sourcetype> AS <Host, Source, or Sourcetype>, totalCount AS Count, lastSeen AS "Last Update" 
| table <Host, Source, or Sourcetype>, Count, "Last Update"

Where you replace YOUR INDEX with your index minus the angle brackets, and select the appropriate type and reflect the selection in the rename command and table command.

e.g. For listing all sourcetypes, it would be

| metadata index=<YOUR INDEX> type=sourcetypes
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename sourcetype AS Sourcetype, totalCount AS Count, lastSeen AS "Last Update" 
| table Sourcetype, Count, "Last Update"

And this would be run across All Time (to see what you see in the Search & Reporting app, though do it at your discretion considering the index and amount of events).

Reply

ngatchasandra
Builder
‎04-17-2015 11:28 AM

Hi baxiani,

  • I think its because the data you have indexed the data in an index that you have created yourself . If you index the data by assigning the default index, you can see in DATA SUMMARY all information about hosts , sources and sourcetype.

  • It can can be possible that the data hasn't indexed correctly

You can test this!

Reply

juvetm
Communicator
‎04-17-2015 01:20 PM

HI baxiani
were you make a change on your data before it is been index

0 Karma
Reply

baxiani
Explorer
‎04-19-2015 11:49 PM

Good Morning,

thank you very much for your response.
Yes I have created this index myself. So I guess this is unfortunately normal.

@juvetm: I only configured the inputs.conf and outputs.conf. So there is no change of data before indexing.
On the forwarder I have indexAndForward = false

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...