Hello,
I'm getting "No results found." whenever I search for any term in splunk.
I have 29,123,099 Events INDEXED and I was searching normally before today.
No matter what I search for, I always get no results found.
Can anyone please point me in the direction where to check ?
Thank you
Check Settings -> Indexes to make sure there's events in the indexes. If you then can't see anything if you search that particular index, then post a screenshot of your user's role definition. Also check index=_internal log_level=ERROR to see if there's a problem. Lastly, since this is a local play environment, it might be easiest to just uninstall/reinstall Splunk and re-add the data thereby starting clean.
Events are added to the main index and I can see them accumulating normally.
When I tried to see my user's role definition, I couldn't because this is the free version and user roles are not allowed.
Checking index=_internal log_level=ERROR, I found some errors:
2016-08-31 15:39:05,871 ERROR [57c6ddf9ba19e01f4ee80] admin:1775 - [HTTP 402] Current license does not allow the requested action
Traceback (most recent call last):
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\controllers\admin.py", line 1745, in listEntities
entities = en.getEntities(endpoint_path, **args)
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 129, in getEntities
atomFeed = _getEntitiesAtomFeed(entityPath, namespace, owner, search, count, offset, sort_key, sort_dir, sessionKey, uri, hostPath, **kwargs)
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\entity.py", line 222, in _getEntitiesAtomFeed
serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 513, in simpleRequest
raise splunk.LicenseRestriction
LicenseRestriction: [HTTP 402] Current license does not allow the requested action
================================================================================================================
2016-08-30 15:50:00,313 ERROR [57c58f084c19e01492278] config:132 - [HTTP 401] Client is not authenticated
Traceback (most recent call last):
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\config.py", line 130, in getServerZoneInfo
return times.getServerZoneinfo()
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\appserver\mrsparkle\lib\times.py", line 158, in getServerZoneinfo
serverStatus, serverResp = splunk.rest.simpleRequest('/search/timeparser/tz')
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest\__init__.py", line 510, in simpleRequest
raise splunk.AuthenticationFailed
AuthenticationFailed: [HTTP 401] Client is not authenticated
host = 677878-db1 source = C:\Program Files\Splunk\var\log\splunk\web_service.log sourcetype = splunk_web_service
================================================================================================================
2016-08-30 15:38:12,792 ERROR [57c58c44c9bbef1fc7f0] utility:49 - name=javascript, class=Splunk.Error, lineNumber=586, message=Uncaught TypeError: e.defaultDrilldown is not a function, fileName=http://192.168.100.12:8000/en-US/static/@debde650d26e/js/licenseusage.js
================================================================================================================
Thank you
I also have this warning in the license manager:
Severity Time Message Indexer Pool Stack Category
Correct by midnight to avoid violation Learn more This pool contains 1 slave/s in violation auto_generated_pool_free free pool_violated_slave_count
What did you see on Settings -> Licensing -> Usage Report? Screen shot maybe?
Also, did you switch to the Free License or did the license just expire? Make sure you've done this: http://docs.splunk.com/Documentation/Splunk/6.4.3/Admin/MoreaboutSplunkFree#How_do_I_switch_to_Splun...
Hello SloshBurch,
The license expired, then I switched to the free account as per the instructions you sent. This was 6 days ago.
A screenshot of the license usage:
As for the warnings:
I can't clear these warning as there is no more details for them. The warning are:
Thank you so much for your help
The free version of Splunk has an indexing limit of 500 Mb per day. Did you perhaps index more than that after the trial license expired? If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.
See this document about licensing for more information if you think this is what happened.
I will check this scenario. However, in the most busy day, I got 40 Mb of data . However, I can see other warnings in the license usage report.
Thank you for pointing me in the right direction. I will check I get back to you with the results.
This can also be expected behavior from your search for instance, this returns 0 of ~500,000 events:
index=* | where linecount > 1 | rex field=_raw "(?m)(?P^.*ESTABLISHED.*$)" | search footer
If you are still troubleshooting, just start with "index=* startminutesago=5" to see what you have access to.
index=* startminutesago=5 did not return anything.
I have also tried index=* and did not get any thing.
The steps I used now to check the data are:
Step one: I open Splunk and I get this:
Then I click on "Data Summary" and I get:
When I click on the "192.168.100.1" host that contains all the events, I get this:
One last thing to note, I was using Splunk trial and then the trial period expired. I then switched to Splunk free.
I'm not using distributed deployment. It is just installed on one server.
Thank you for your help.
Another thing:
When I click on the Job button below the search box, I get:
Peer 421798-db1's search ended prematurely. Attempting to reconnect and resume.
(421798-db1) is the server name.
Maybe add index=*
to that search to see if the data for that IP still exists. If still nothing than remove the host part and just search index=*
. If that still fails then check that your role still has access to search all indexes within the role definition menu in settings.
I have tried all of what you have mentioned. unfortunately, still not working. I'm checking now the licensing report.
Thank you for your help.
Are you searching the correct index? Which index is your data in, and what is defined as your default search index?
I have not changed the index. Can you please let me know how to change the index ?
Change time to All Time.
Time is already set to All time
maybe, user access issue. are you having splunk admin access? can you check your user role and capabilities?
I'm using Admin account. I used to use this account before in my search