Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data being indexed but unable to search

rmcdougal
Path Finder
‎12-06-2012 12:42 PM

Ok so here is the issue, I have installed a forwarder on my Snort box to forward over the data to Splunk. It appears to be sending the data over and it appears to be getting indexed but, I am not able to search the information.

This is my search summary page

alt text

Notice the last update time.

Now I am going to click on the source type and search for the events.

alt text

Notice that the latest event showing up has a timestamp of 12/6/2012 at 12:56 AM. This contradicts the search summary page.

One last thing, from the deployment monitor, this is the status of the forwarder on my snort box.

alt text

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

rmcdougal
Path Finder
‎12-11-2012 05:54 AM

I found the solution and it wasn't very intuitive. The timestamp was not being indexed properly by splunk so the events were getting indexed but there was an invalid timestamp associated with them preventing them from showing when searching for them. (I still haven't been able to find them).

After changing the TIME_FORMAT in props.conf the events started to display.

View solution in original post

Reply
Solved! Jump to solution
Solution

rmcdougal
Path Finder
‎12-11-2012 05:54 AM

I found the solution and it wasn't very intuitive. The timestamp was not being indexed properly by splunk so the events were getting indexed but there was an invalid timestamp associated with them preventing them from showing when searching for them. (I still haven't been able to find them).

After changing the TIME_FORMAT in props.conf the events started to display.

Reply
Solved! Jump to solution

lguinn2
Legend
‎12-10-2012 02:20 PM

My guess is that your Splunk admin did NOT set up the security index to be searched by default. That setting is under Manager -> Access Control -> Roles. For each role, the admin can determine which indexes are visible and which indexes are searched by default.

If the security index is NOT one of your default indexes, you may be able to search it explicitly:

index=security sourcetype=snort

If that doesn't work, perhaps the Splunk admin has not given you access to the security index at all.

Reply
Solved! Jump to solution

Drainy
Champion
‎12-10-2012 07:35 AM

The summary page only displays data in the main index by default, so it won't register detail on other indexes.

Related: http://splunk-base.splunk.com/answers/47879/cannot-see-data-that-gets-indexed-on-summary-page

Reply
Solved! Jump to solution

rmcdougal
Path Finder
‎12-10-2012 06:12 AM

It is configured to forward to the "security" index. It is using a heavy forwarder because that is what my system admin felt most comfortable installing.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎12-10-2012 02:22 AM

Also, if I recall correctly the time on the summary page is when the last event was INDEXED, not necessarily when it was actually generated.

Reply
Solved! Jump to solution

miteshvohra
Contributor
‎12-09-2012 08:01 PM

And, why 'Heavy Forwarder' and not 'Universal'?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-09-2012 05:49 PM

What index does the forwarder specify for the snort data in inputs.conf?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...