Solved: Cannot see data that gets indexed on Summary page

efelder0 · ‎05-11-2012

Recently, I have made changes to my Splunk environment where I created new indexes and assigned multiple data sources to their respective indexes. However, once I index a single data source, that information no longer shows up on the Summary page. i.e. the message, "Waiting for data" appears in the Sources window.

Thoughts?

sdaniels · ‎05-11-2012

The default view for the Search app summary page is only going to show data from the main index. If you want to see other sources you'll need to add that index as a default for the role of the user you are logging in as. Then you'll see the sources by default instead of having to type in index="whatever".

View solution in original post

sdaniels · ‎05-11-2012

The default view for the Search app summary page is only going to show data from the main index. If you want to see other sources you'll need to add that index as a default for the role of the user you are logging in as. Then you'll see the sources by default instead of having to type in index="whatever".

efelder0 · ‎05-11-2012

I got it, Splunk --> Manager --> Access Controls --> Admin

sdaniels · ‎05-11-2012

You can do either but throught the app is probably easiest. Look up the user to see what role they have. Then Manager -> Access Controls -> Roles. Then you'll see a box for 'Indexes searched by default'. Remember this change will apply to all users of that Role.

efelder0 · ‎05-11-2012

would a .conf file need to be changed or a setting w/in the app?

Cannot see data that gets indexed on Summary page

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms