Splunk internal search

uagraw01 · ‎11-02-2023

Hello Splunkers!!

I am not getting any data in the internal index for the last 24 hours. Please let me know what will the cause behind it & what i need to check.

isoutamo · ‎11-02-2023

Hi

Are you sure that you have access to _internal index? You could check it by

| rest /services/authentication/users splunk_server=local f=roles 
| search title="<YOUR SPLUNK ACCOUNT NAME>"
| fields title roles 
| join roles 
    [| rest /services/authorization/roles 
    | fields title srchIndexesAllowed srchIndexesDefault srchIndexesDisallowed 
    | dedup title 
    | rename title as roles
        ] 
| transpose

Just look what you have on allowed and disallowed rows.

r. Ismo

uagraw01 · ‎11-02-2023

@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.

isoutamo · ‎11-02-2023

Have you enough disk space for
1) creating those logs into disk
2) indexing those to _internal

uagraw01 · ‎11-02-2023

@isoutamo We have good storage for Splunk db.

ITWhisperer · ‎11-02-2023

Does your role have permissions to read the _internal index? Has this ever worked?

uagraw01 · ‎11-02-2023

@ITWhisperer Yes, that why I specify last 24 hours

Splunk internal search

other

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms