Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where does forwarded data exist if the index mentioned in my inputs.conf monitor stanza was not created?

snehal8
Path Finder
‎01-29-2015 02:44 AM

Hello Everyone,

I have created an inputs.conf file for deploying an app in host machine to forward data. 

[monitor:///xxxxxx]
index=a
disabled=false
sourcetype=Test

but have created an index called b and by mistake, in the inputs.conf file mentioned a, so data is came in splunk with this index but not getting where is exactly store.

Where exactly is the data sent in this scenario? How can I resolve this?

Thanks.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎01-29-2015 08:07 PM

If you do not have index A created, and configure and input to send to index A, then when the input sends and the indexers do not have the index, they will drop the events and generate and invalid index error. It will not move them to another index, or put them in _internal. (_internal is internal events for splunk only.)

If you want to move the events from index A to index B, then you need to copy the buckets at the file level. ( $SPLUNK_HOME/var/lib/splunk/** )

The instructions here are pretty straightforward :
http://answers.splunk.com/answers/126422/move-specific-data-from-one-index-to-another-index.html

Reply

aakwah
Builder
‎01-29-2015 03:56 AM

If index is not specified data will go to main index, you can get the logs by running

index=main

then specify the source from Fields sidebar then delete the event you want as per the following, but first you need to allow the user you are using to delete:

index=main source=test.gz | delete

Give user permissions to delete, from wen interface, I'll assume you are using admin user:

Settings, Access controls, Users, admin

In Assign to roles part, add can_delete, then save

Regards,
Ahmed

Reply

aakwah
Builder
‎01-30-2015 09:12 AM

Hi @snehal8, if the issue is resolved, please accept an answer to mark this issue as resolved.

Regards,
Ahmed

0 Karma
Reply

lguinn2
Legend
‎10-23-2015 07:00 PM

This only applies if no index has been specified. If the wrong index name was specified, then @esix is correct.

0 Karma
Reply

mzorzi
Splunk Employee
Splunk Employee
‎01-29-2015 03:17 AM

You can search for that data across all time and indexes. If nothing returns the data has not been indexed.

A very generic search is index=_* OR index=*

0 Karma
Reply

snehal8
Path Finder
‎01-29-2015 03:38 AM

Thanks for reply @mzorzi. in search it is not showing , but when i executing this query "index=_internal (host=*xxx* OR host=*xxx*) NOT (series=_* OR series=*summary*) source=*metrics.log group=per_index_thruput earliest=-7d | timechart span=1d sum(eval(kb/1024)) AS "MB indexed" by series" , then its showing index a with amount of data. then if it in "_internal" ? then how to move this data in my actual index b ? please help me on this

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...