Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

cant search data in indexer

arsidiq
Loves-to-Learn Everything
2 weeks ago

i installed splunk in distributed management environment. furthermore, my indexer server got reboot and i can't query my data even though at index = _internal. whereas previously it was fine.

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
2 weeks ago

First things first.

1. Does the splunkd process run on the indexer?

2. Does it listen on the 8089 port?

3. Can you reach indexer's 8089 port from the SH?

4. What does "splunk status" say on the indexer?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago

Can you tell more about what and how you have done this installation and what kind of distributed environment you have?

Are the problematic node indexer, search head or something other node?

0 Karma
Reply

arsidiq
Loves-to-Learn Everything
2 weeks ago

first i have 3 different server (HF, SH, and IDX) and the distributed search is going to IDX. there an incident that idx server is shutting down and after i started and run the splunk services, i can't query any data. i try to query index = * and has no result.

0 Karma
Reply

arsidiq
Loves-to-Learn Everything
2 weeks ago

i think the problem itself in indexer node, but still cant find out why it can query splunk internal log

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
2 weeks ago

Have you check that those indexes are there and splunk is running there without issues?

Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too.

Check also if there is any issues with internal logs. You can query those from internal indexes like 

index=_internal log_level IN (error, warn)
0 Karma
Reply

kiran_panchavat
Influencer
2 weeks ago

@arsidiq 

Refer this 

Solved: Why is no data being written to the _internal inde... - Splunk Community

Solved: Why is _internal index is disabled? - Splunk Community

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
2 weeks ago

@arsidiq 

 
Verify that the search head can communicate with the indexer.
If it fails, check firewall rules or network issues. Ensure the indexer is listed in the search head’s distributed search configuration:
 
  • Splunk Web: Settings > Distributed Search > Search Peers.
  • Or check $SPLUNK_HOME/etc/system/local/distsearch.conf.
Check this on the indexer:-  tail -n 100 /opt/splunk/var/log/splunk/splunkd.log
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
2 weeks ago

@arsidiq 

  • Ensure the indexer is running. Log into the indexer server and check Splunk's status: /opt/splunk/bin/splunk status
  • If Splunk is not running, start it: /opt/splunk/bin/splunk start
  • Confirm that the search head and other components can communicate with the indexer. Test connectivity using: ping <indexer_ip>
  • Verify that the Splunk management port (default: 8089) is open: telnet <indexer_ip> 8089
    Check the Splunk logs on the indexer for errors: /opt/splunk/var/log/splunk/splunkd.log
  • Look for issues related to indexing, disk space, or corrupted buckets. Common issues include: Disk full errors or Corrupted index buckets due to improper shutdown.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

arsidiq
Loves-to-Learn Everything
2 weeks ago

yups the indexer is running, and still cant quey any data after the server has been reboot

0 Karma
Reply

kiran_panchavat
Influencer
2 weeks ago

@arsidiq 

Verify permissions for Splunk directories. If they've changed to root after a reboot, correct them with:

chown -R splunk:splunk /opt/splunk

Are you able to see the data for other indexes? 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

arsidiq
Loves-to-Learn Everything
2 weeks ago

already done this, since splunk has to run using user splunk sir so when i want to start the service i already change the permissions

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...