Re: DATA not feeding in INDEX : Splunk

vivekg72 · ‎04-22-2020

Hi

I have got 5 node SPLUNK .

NODE1 : Master + License Manager
Node 2 : Indexer - peer
Node 3 : Indexer - Peer
Node 4 : Indexer - Peer
Node 5 : Search head

All is working fine . Now I need to create a new index for test purpose . and push one file in that index

Thus I have done following :

In master Node , We have a file called indexes.conf under :
/apps/splunk/etc/master-apps/app-infrastructure-loganalysis/local

I have added a few index lines :
[indexwinelksynclogs]
homePath = /data/splunk/indexwinelksynclogs/db
coldPath = /data/splunk/indexwinelksynclogs/colddb
thawedPath = /data/splunk/indexwinelksynclogs/thaweddb
repFactor = auto

vivekg72 · ‎04-22-2020

Therefter I did following in master :

splunk apply cluster-bundle
splunk show cluster-bundle-status

I can see new index file is deployed in All Index servers . I have restarted whole cluster
and I can see index in UI

but When I try to push data , it does not work .. nothing goes in index

Can u please help me ASAP ?

vivekg72 · ‎04-22-2020

Hi

I have added following lines in input.conf of splunk forwarder

[monitor://D:\PTP\Daily*.csv]
disabled = false
sourcetype = indexwinelksynclogs
index = indexwinelksynclogs

vivekg72 · ‎04-22-2020

There are two more stanza in input file ( using old indexes ) and I can see data in those indexes updated regularly

but not in new Index .

richgalloway · ‎04-22-2020

Please say more about how you are pushing data and how you are searching for it. How are you specifying the index name? Are you specifying the correct index?

---
If this reply helps you, Karma would be appreciated.

DATA not feeding in INDEX : Splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases