Why can I not see the data in Splunk UI?

Santosh2 · ‎05-14-2022

Hi all, I can see the logs coming in from a particular source=das*.log through backend Linux but when I search with the same source I cannot see data in ui

One more thing if I use with index name and source also I am not getting any data in ui

Note: when I searched with internal index I could see logs from that host IP but not from the source in ui

Can any one help on this issue.

VatsalJagani · ‎05-15-2022

@Santosh2 - You can take some predefined steps in case of data input issues:

Check if you have inputs.conf entry for these files
Have you specified the right index?
Have you created that index on the Indexer?
Make sure you are not filtering the data with transforms.conf config
- check for queue=null line in transforms.conf
- If you see any, make sure it's not related to your data
Make sure you are receiving other data from that host.
- index=_internal host=<hostname-that-has-inputs.conf>
Make sure you have permission to read the index data and also make sure no other restriction being applied.
- You can check with Splunk Admin.

I hope this helps!!! Upvote/karma would be appreciated!!

Why can I not see the data in Splunk UI?

troubleshooting

Holistic Visibility and Effective Alerting Across IT and OT Assets

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud