Getting Data In

Why am I unable to see the forwarder but data is being received?

Lenval06
Engager

Hi,
I setup a forwarder on a linux server and setup Splunk to listen on port 9997 and I added the index name (cisco) I previously setup into the inputs.conf file.
On the Splunk indexer, if I search "index=cisco", I can see all my data.

However, my "Search" page is not displaying any "Hosts", any "Sources" and any "SourceTypes"....whereas I am receiving all data.

Any idea what is wrong ?
Philippe

0 Karma

adonio
Ultra Champion

here is in splunk enterprise, kindly assist with splunk light if its not equivalent:

alt text

alt text

0 Karma

adonio
Ultra Champion

search index=cisco | head
look on the left part of the screen
the 3 fields host, source, sourcetype supposed to be there

Lenval06
Engager

You are right Adonio, when I run this query I get this result.

What I meant the "Search" page which shows all Hosts added,...and the moment I have the message "No data has been added",,,,whereas I should have the hostname on my cisco device.

Any idea ?

0 Karma

adonio
Ultra Champion

you mean the data summary button?

0 Karma

Lenval06
Engager

I mean the default page when you open Splunk: you have a list of "Hosts" , then if you click "Sources" you can see all your sources are are being indexed and finally if you click on "Sourcetypes" you can see all your sources types

In this page, I do not have anything being displaying whereas I have data being received from a forwarder.

Is this clearer ?
Thanks

0 Karma

adonio
Ultra Champion

hmmm, just noticed the question is tagged as splunk light.
ill place some screenshots in an answer, hopefully the UI is similar but i am not 100% sure.
anyways, i think all you need is to click the data summary button

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...