New to Splunk please help...
I have created an index in Splunk enterprise and added a monitor to the splunk universal forwarder on a Windows Server. The size of the folder is 5 GB. I can see the index size growing but I am unable to search any data. Does the search work only after the index is fully populated?
Thanks
No, it does not! you can search for the data while you are indexing the data.
Efficient way to search for your data is
index=<name of the index>
Run this search for all time
.
Also, if you do not have specified the name of the index then the default index name is main
let me know if this helps!
No, it does not! you can search for the data while you are indexing the data.
Efficient way to search for your data is
index=<name of the index>
Run this search for all time
.
Also, if you do not have specified the name of the index then the default index name is main
let me know if this helps!
Thanks a lot Mayur. That worked... Thanks again for the tip.
what exactly does your search look like? do you have the name of the index in your search string?
if you go into Settings>Users and Authentication Access Controls>Roles and click on your role, is the Windows Server index selected (or All internal/non-internal indexes)?