Getting Data In

Why are all my indexes disabled but Splunk is still writing data?

nryagin
Explorer

Hello colleagues,

Can you help me with the issue which I caught a couple days ago and I still couldn't resolve?

A couple days ago I tried to check my license status but I didn't do it because Splunk said that the data wasn't found.
When I tried to find result manually by doing a search request, I found that system indexes didn't have any events. After that, I checked settings and found that all indexes were disabled and I couldn't enabled through Splunk Web.

alt text

I also checked splunkd.log and didn't find any Errors which might be related to my issue.
There is only this ERROR state ERROR AuthenticationManagerLDAP - Could not find user="nobody" with strategy="mystrategy
I did restart and passed all checks without any troubles.
I ran splunk btool check --debug to find something strange but didn't find anything.

After that, I had been observing folders for sometime which were used to internal indexes and detected that Splunk still was writing data.
I tried to enable an index by editing indexes.conf and putting to them disabled flag.
After restart Splunk showed me that the index had been enabled but there still wasn't any event there.

0 Karma
1 Solution

nryagin
Explorer

As a result I couldn't resolve the issue described above by editing conf files and cheking splunkd.log but I had to review data from the internal indexes to evaluate license for some period of time. That's why I saved all my conf files, left indexes, and after re-installed Splunk. I copied all my conf files and started Splunk service again and the Miracle occurred, Splunk started monitoring all indexes correctly.
Also As I found early Splunk had been continuing of writing all system events and I am able to check all data for this period now.

View solution in original post

0 Karma

nryagin
Explorer

As a result I couldn't resolve the issue described above by editing conf files and cheking splunkd.log but I had to review data from the internal indexes to evaluate license for some period of time. That's why I saved all my conf files, left indexes, and after re-installed Splunk. I copied all my conf files and started Splunk service again and the Miracle occurred, Splunk started monitoring all indexes correctly.
Also As I found early Splunk had been continuing of writing all system events and I am able to check all data for this period now.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @nryagin - Did this answer you posted provide a working solution for you? If yes and you would like to close out this question, please click "Accept" below your answer. Thank you.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...