- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- i can't find the existing index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can't find the existing index
Greetings!!
I can't find the existing index, after inputs other data into that index?
I have done /opt/Splunk/bin/Splunk reload deploy-server
BUT the problem is that I can't find the existing index after this Splunk configuration??
I was confused somehow? am getting data from Syslog sender(network devices) and when I checked
/opt/splunkforwarder/bin/Splunk list forward-server
I got the following output: Active forwards: None
Configured but inactive forwards:
" IP of all indexers: port"
is this could be a root cause of not getting logs for index XXXX??? even when you do search index=** you can see other index but not the one you have input data?
Kindly help me how I can fix this, thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pacifikn,
there's some confusion in your question:
reload deploy-server and list forward-server are commands of Deployment Server and there isn't any direct relation with indexes.
But let me understand and correct me if I'm wrong:
- you have a distributed architecture wih an all-in one Splunk server and some Universal Forwarders,
- you have to ingest syslogs from one or more appliances.
To ingest syslogs you have to enable your Splunk server to ingest network logs [Settings -- Data Inputs -- TCP/UDP - Add New].
If you can it's better to use an Heavy Forwarder or (better) two HFs with a load Balancer to avoid Single Points of Failure.
If instead you have to take logs from a Universal Forwarder, you have to define your use case and create a Technical Add-on to deploy manually or using the Deployment Server.
Then you can search the ingested data and you have to know in what index are stored but it's a following question.
I hint to carefully read at https://docs.splunk.com/Documentation/Splunk/8.0.1/Data/Getstartedwithgettingdatain to better understand how to get data into Splunk.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI gcusello,
Thank you for your quick response,
Let me clarify again the issue am getting,
I want to add other inputs data from network devices (Syslog sender) into Splunk,
before I had few devices (8devices) configured well and generating logs, and I wanted to add the other 20 devices but after I did this Splunk configuration as I do before, I can't see its logs not only that and this seems has affected the 8 devices configured before, for now, the logs are not available as it appeared before on the 8 devices, the entire index for this specific devices its not available on the other index ,when you do search: index=* to see all index you only see other not this mentioned above.
when I do search: index=xxx is not available.
BUT the issue is that after doing the configuration, I can't see the data of those inputs in search?
even the previous 8 devices that before I use to see its logs I can't see it? even its index is not available as before? It seems like it was disabled/deleted. how to check it?
challenge; when I do search in one week I can see the logs of 8 previous devices before adding the 20 devices but currently not, I don't know where the problem comes from?????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pacifikn,
let me understand:
- you had 8 appliances that were sending syslogs and You were receinving their syslog,
- after you configured other 20 appliances, but you don't see their logs,
- now you don't see both the new and the old appliances' logs;
is it correct?
at first check the configuration and the firewall routes between appliances and Splunk server.
Then check the inputs on Splunk.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Right! yes, that is the question I have!
I see the old when I set the time before one week, I can view it.
But after adding the other 20 same appliances, I don't see both the old and new ones.
The configuration and the firewall routes between appliances and the Splunk server are done correctly.
Kindly help me step by step on how to crosscheck the inputs on Splunk, maybe I am not doing this correctly!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @pacifikn,
delete and re-create one by one the inputs and check if the problem is still present.
You can also check in inputs.conf if there's something wrong.
To understand what's the inputs.conf to check you can use
./splunk cmd btool inputs list -debug
Ciao.
Giuseppe
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
