Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why can't I see data in the Search App's "Data Summary", but the data is searchable?

baxiani
Explorer
‎04-17-2015 04:52 AM

Hi all,

I monitor files on a heavy forwarder and use different sourcetypes and hosts for each file, but one common index.
On the search head, I can search this data, but I am not able to see these hosts and sourcetypes in search app "Data Summary"

Do you know why?

Tags (3)
0 Karma
Reply

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎01-23-2019 11:50 PM

@ngatchasandra is correct, the "Data Summary" in the Search & Reporting App is based on data for the configured default index, which is "main" by default.

If you wish to do a search that shows the same data as the "Data Summary", you can do the following:

| metadata index=<YOUR INDEX> type=<hosts, sources or sourcetypes>
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename <host, source, or sourcetype> AS <Host, Source, or Sourcetype>, totalCount AS Count, lastSeen AS "Last Update" 
| table <Host, Source, or Sourcetype>, Count, "Last Update"

Where you replace YOUR INDEX with your index minus the angle brackets, and select the appropriate type and reflect the selection in the rename command and table command.

e.g. For listing all sourcetypes, it would be

| metadata index=<YOUR INDEX> type=sourcetypes
| eval lastSeen = strftime(lastTime, "%x %l:%M:%S %p")
| rename sourcetype AS Sourcetype, totalCount AS Count, lastSeen AS "Last Update" 
| table Sourcetype, Count, "Last Update"

And this would be run across All Time (to see what you see in the Search & Reporting app, though do it at your discretion considering the index and amount of events).

Reply

ngatchasandra
Builder
‎04-17-2015 11:28 AM

Hi baxiani,

  • I think its because the data you have indexed the data in an index that you have created yourself . If you index the data by assigning the default index, you can see in DATA SUMMARY all information about hosts , sources and sourcetype.

  • It can can be possible that the data hasn't indexed correctly

You can test this!

Reply

juvetm
Communicator
‎04-17-2015 01:20 PM

HI baxiani
were you make a change on your data before it is been index

0 Karma
Reply

baxiani
Explorer
‎04-19-2015 11:49 PM

Good Morning,

thank you very much for your response.
Yes I have created this index myself. So I guess this is unfortunately normal.

@juvetm: I only configured the inputs.conf and outputs.conf. So there is no change of data before indexing.
On the forwarder I have indexAndForward = false

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...