Monitoring Splunk

Splunk Enterprise is receiving data from forwarder but when i use run a search i can not find the host ?

CJROCK21
New Member

alt text
alt text

Tags (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

It is likely the data is in an index not searched by default. Try this search instead:

index=* host=DESKTOP-<what_ever_that_is>

Let us know if that works!

Happy Splunking,
Rich

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

It is likely the data is in an index not searched by default. Try this search instead:

index=* host=DESKTOP-<what_ever_that_is>

Let us know if that works!

Happy Splunking,
Rich

0 Karma

CJROCK21
New Member

I have a forwarder installed on ubuntu vm and i am forwarding data to my splunk running on Windows 10.

When i goto setting-> monitoring ->instance-forwarder i can see that there is 1 connection and i am receiving data from ubuntu instance

But what i click run a search and query throught it for available hosts it does not show ubuntu under host list.

I have posted snapshot for both received data and host list above

0 Karma

ddrillic
Ultra Champion

Can you please elaborate on the question?

0 Karma

CJROCK21
New Member

I am receiving data in my splunk enterprise from universal forwarder installed on ubuntu vm and i can see that under ...

Monitoring console -> forwarder: instances

It shows me instance ... ubuntu and data rate and all graphs . (Refer snapshot 1 above)

but when i click run a search and check available host to query through list does not contains ubuntu as a host which it should have (snapshot 2)

plz help me on how to get that data and query on it.

0 Karma

klaxdal
Contributor

try searching for index=main (or what ever index you have established to forward events to ) host="host_name"

so from what I am seeing in the screen shots

index=main host=ubuntu

that should do it - if not use a wildcard on the index= ( index=*) to troubleshoot

0 Karma

klaxdal
Contributor

What is your search parameter ?

0 Karma

CJROCK21
New Member

I am receiving data in my splunk enterprise from universal forwarder installed on ubuntu vm and i can see that under ...

Monitoring console -> forwarder: instances

It shows me instance ... ubuntu and data rate and all graphs . (Refer snapshot 1 above)

but when i click run a search and check available host to query through list does not contains ubuntu as a host which it should have (snapshot 2)

plz help me on how to get that data and query on it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...