Splunk Search
Highlighted

i feel dumb, but I see no data when I search in splunk.

Path Finder

I created 8 data inputs, each one is supposed to tail log files mathing a certain whitelist regex.
These inputs see the files (my preview worked and i see the # of files in the data inputs page.

The Application im using for the inputs is SEARCH.

When I go to the SEARCH app, I type a word I KNOW is in the logs, and I get nothing.
I type * and I get nothing.

I'm clearly missing something basic.

This wasn't this hard when i did this a few years ago.

Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Motivator

Could you post the relevant stanza from inputs.conf? Are you sending the data to an index you're then not searching for?

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Path Finder

Here is a sample of a few...

[monitor://\XXX-vdi-csa01\c$\Documents and Settings\All Users\Application Data\VMware\VDM\logs]
disabled = false
followTail = 1
host = XXX-VDI-CSA01DEBUG-LOG
sourcetype = vmware
viewconnectionbrokerdebuglog
index = vmwareviewbrokers
blacklist = log-.txt
whitelist = debug-
.txt

[monitor://\XXX-vdi-csb01\c$\Documents and Settings\All Users\Application Data\VMware\VDM\logs]
disabled = false
followTail = 1
host = XXX-VDI-CSB01LOG
sourcetype = vmware
viewconnectionserverlog
index = vmware
view_brokers
blacklist = debug-.txt
whitelist = log-
.txt

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Motivator

Here's the likely reason:
index = vmwareviewbrokers

The summary app and by default your role will only search index=main by default. Simply add:
index=vmwareviewbrokers

to your search and you should see the data just fine

You can change the default role that is searched under Manager> User Roles > your role.

Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Path Finder

how can i make the default index the brokers index? i plan to use splunk for nothign else but watching brokers.

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Path Finder

so, i did that...
index="vmwareviewbrokers" WARN

and i dont find any occurance of WARN

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Splunk Employee
Splunk Employee

also make sure the indexes are actually created.

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Path Finder

I think this might be the problem..

In the indexes section, the vmwareviewbrokers index is only at 1MB and EVENT COUNT is 0, and the rest is N/A.

argh.

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Motivator

Hmm, this might take some more investigating. What's the output of:
./splunk bin splunk cmd btool indexes list --debug vmwareviewbrokers

Alternatively, if you have access to the IRC channel you could pop in there, then we could look deeper and then update this Question with the outcome.

0 Karma
Highlighted

Re: i feel dumb, but I see no data when I search in splunk.

Path Finder

so i just run this command?

0 Karma