I was running into this issue and thought I'd post a comprehensive solution in addition to somesoni2's nudge in the right direction. First thing, yes, I was using indexed extractions. The problem is that in etc/system/default/props.conf you find this: `[default] AUTO_KV_JSON = true` This means that by default Splunk is doing search-time extractions on all JSON. I added a stanza to etc/system/local/props.conf to turn that setting off for my data: [my_sourcetype] AUTO_KV_JSON = false And that fixed the problem. Hopefully this helps other folks that come across this and saves them some time. ... View more

In case anyone stumbles across this later my problem was the timestamp. I changed the parameters to use the current index time instead of choosing a column from the data and now data is getting indexed. Next up is figuring out how to get things working using the column I want for the timestamp. ... View more

If you're running dbconnect on an indexer then the data will be indexed just fine. However, if you are running dbconnect on a standalone search head with separate indexers you need to set up outputs.conf to forward the data to your indexers. ... View more

I'm having this problem too. The obvious follow up questions are is this a distributed deployment and if so do you have outputs.conf configured to send to your indexers. In my case the answer is yes to both. My input is running successfully every 5 minutes but no data is getting indexed. ... View more

I ran into a similar set of errors in my AWS logs. When I tried to connect to the web interface, I would get a response of "500 No appservers running." The root cause turned out to be auditd hogging disk I/O. Not sure if you have the same issue, but you might try disabling the auditd service and see if that does anything. ... View more