Hello colleagues,
Can you help me with the issue which I caught a couple days ago and I still couldn't resolve?
A couple days ago I tried to check my license status but I didn't do it because Splunk said that the data wasn't found.
When I tried to find result manually by doing a search request, I found that system indexes didn't have any events. After that, I checked settings and found that all indexes were disabled and I couldn't enabled through Splunk Web.
I also checked splunkd.log and didn't find any Errors which might be related to my issue.
There is only this ERROR state ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="mystrategy
I did restart and passed all checks without any troubles.
I ran splunk btool check --debug to find something strange but didn't find anything.
After that, I had been observing folders for sometime which were used to internal indexes and detected that Splunk still was writing data.
I tried to enable an index by editing indexes.conf and putting to them disabled flag.
After restart Splunk showed me that the index had been enabled but there still wasn't any event there.
... View more