Solved: Splunk index on a Windows log folder

neltonk · ‎01-23-2018

New to Splunk please help...

I have created an index in Splunk enterprise and added a monitor to the splunk universal forwarder on a Windows Server. The size of the folder is 5 GB. I can see the index size growing but I am unable to search any data. Does the search work only after the index is fully populated?

Thanks

mayurr98 · ‎01-23-2018

No, it does not! you can search for the data while you are indexing the data.

Efficient way to search for your data is

index=<name of the index>

Run this search for all time.
Also, if you do not have specified the name of the index then the default index name is main

let me know if this helps!

View solution in original post

mayurr98 · ‎01-23-2018

No, it does not! you can search for the data while you are indexing the data.

Efficient way to search for your data is

index=<name of the index>

Run this search for all time.
Also, if you do not have specified the name of the index then the default index name is main

let me know if this helps!

neltonk · ‎01-23-2018

Thanks a lot Mayur. That worked... Thanks again for the tip.

cmerriman · ‎01-23-2018

what exactly does your search look like? do you have the name of the index in your search string?
if you go into Settings>Users and Authentication Access Controls>Roles and click on your role, is the Windows Server index selected (or All internal/non-internal indexes)?

Splunk index on a Windows log folder

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!