Hello Splunkers!!
I am not getting any data in the internal index for the last 24 hours. Please let me know what will the cause behind it & what i need to check.
Hi
Are you sure that you have access to _internal index? You could check it by
| rest /services/authentication/users splunk_server=local f=roles
| search title="<YOUR SPLUNK ACCOUNT NAME>"
| fields title roles
| join roles
[| rest /services/authorization/roles
| fields title srchIndexesAllowed srchIndexesDefault srchIndexesDisallowed
| dedup title
| rename title as roles
]
| transpose
Just look what you have on allowed and disallowed rows.
r. Ismo
@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.
Does your role have permissions to read the _internal index? Has this ever worked?
@ITWhisperer Yes, that why I specify last 24 hours