Splunk Search
Highlighted

Why can't I see data in the Search App's "Data Summary", but the data is searchable?

Explorer

Hi all,

I monitor files on a heavy forwarder and use different sourcetypes and hosts for each file, but one common index.
On the search head, I can search this data, but I am not able to see these hosts and sourcetypes in search app "Data Summary"

Do you know why?

Tags (3)
0 Karma
Highlighted

Re: Why can't I see data in the Search App's "Data Summary", but the data is searchable?

Hi baxiani,

  • I think its because the data you have indexed the data in an index that you have created yourself . If you index the data by assigning the default index, you can see in DATA SUMMARY all information about hosts , sources and sourcetype.

  • It can can be possible that the data hasn't indexed correctly

You can test this!

Highlighted

Re: Why can't I see data in the Search App's "Data Summary", but the data is searchable?

Communicator

HI baxiani
were you make a change on your data before it is been index

0 Karma
Highlighted

Re: Why can't I see data in the Search App's "Data Summary", but the data is searchable?

Explorer

Good Morning,

thank you very much for your response.
Yes I have created this index myself. So I guess this is unfortunately normal.

@juvetm: I only configured the inputs.conf and outputs.conf. So there is no change of data before indexing.
On the forwarder I have indexAndForward = false

0 Karma
Highlighted

Re: Why can't I see data in the Search App's "Data Summary", but the data is searchable?

Path Finder

@ngatchasandra is correct, the "Data Summary" in the Search & Reporting App is based on data for the configured default index, which is "main" by default.

If you wish to do a search that shows the same data as the "Data Summary", you can do the following:

| metadata index=<YOUR INDEX> type=<hosts, sources or sourcetypes>
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename <host, source, or sourcetype> AS <Host, Source, or Sourcetype>, totalCount AS Count, lastSeen AS "Last Update" 
| table <Host, Source, or Sourcetype>, Count, "Last Update"

Where you replace YOUR INDEX with your index minus the angle brackets, and select the appropriate type and reflect the selection in the rename command and table command.

e.g. For listing all sourcetypes, it would be

| metadata index=<YOUR INDEX> type=sourcetypes
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename sourcetype AS Sourcetype, totalCount AS Count, lastSeen AS "Last Update" 
| table Sourcetype, Count, "Last Update"

And this would be run across All Time (to see what you see in the Search & Reporting app, though do it at your discretion considering the index and amount of events).

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.