Solved: How to troubleshoot why data is not being indexed ...

templier · ‎11-12-2014

Hello, i need help.

I have Splunk 6.2
It's sending data using a universal forwarder.
But on the server, I can only search by index=

And also if i go the Search & Reporting app, I see:
What to Search
Waiting for data...
And nothing... If I open Data Summary - it's empty

What do I do?
Thank you!

templier · ‎11-12-2014

Once again understood myself.
The problem was in the rights of users.

View solution in original post

lindbergh_calde · ‎12-02-2014

Hi

Just to Add to answer above. I too ran into the same issue. Splunk has done a few tweaks with the new version 6.2 and if you do not specify the index, the data cannot be searched successfully. hence to allow searching via sourcetype or etc.
Go to

1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and select the indexes you want to be included in your searches by default

This should work now.

Cheers

templier · ‎12-02-2014

Hello, Cheers.

Thank you for your answer.
I will add - if you have more indexes or they will be added you can add the following settings:
1) Settings -> Access Control -> Roles (select the role applicable to you).
2) Scroll Down to "Indexes searched by default" and "Indexes" and select parameter "all non-internal indexes"

Sergey

templier · ‎11-12-2014

Once again understood myself.
The problem was in the rights of users.

How to troubleshoot why data is not being indexed in Splunk 6.2?

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2