Dashboards & Visualizations

Why is the Index Detail: Instance dashboard not displaying data under "historical charts" for some indexes?

damode
Motivator

In the historical view of Index Detail: Instance page of the Indexer DMC, it shows data for only _audit and _telemetry. No data for other indexes.

EDIT : There is no historical data shown on all of my splunk instances- 1 S.H, 1 Indexer and 2H.Fs. I have set their DMC's in standalone mode.
I learnt from here that the historical panels get data from introspection logs. Then I re-read the "Monitoring Console setup prerequisites" where it says,

  1. Platform instrumentation must be enabled for every Splunk Enterprise instance that you intend to monitor, except forwarders. (that means Platform instrumentation must NOT be enabled on Forwarders)
  2. Forward internal logs (both $SPLUNK_HOME/var/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. (Forwarding internal logs from Search Head and Heavy Forwarders will basically make them also "Forwarders")

Does that mean I should disable Platform instrumentation on Search head and Heavy forwarders ?
And if I disable Platform instrumentation on these "forwarders" then it will not generate any introspection logs. Then what would be the sense in forwarding them to Indexer ?

Please help me understand this.

0 Karma

micahkemp
Champion

It sounds like your DMC is only searching itself (or peers that only have those indexes). Do you have it configured with your indexers as search peers, and have you configured it for distributed mode?

0 Karma

damode
Motivator

Its configured in Distributed Search mode with the Search Head. So, there is only 1 S.H and 1 Indexer. The above issue is on Indexer DMC.

0 Karma

micahkemp
Champion

Have you configured your remote instances appropriately on the setup page?

0 Karma

damode
Motivator

Sorry, I think you meant whether the S.H was configured in distributed mode. No, Both S.H and Indexer are in Standalone mode.

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...