not able to see logs in index=abc

Praz_123 · ‎12-28-2023

Able to see events in index=_internal but not in index=abc for a particular host , what could be reason.

richgalloway · ‎12-28-2023

Having access to _internal does not mean you have access to all other indexes. Check with your Splunk admin to see if your role is allowed to access index abc.

---
If this reply helps you, Karma would be appreciated.

Praz_123 · ‎12-28-2023

@richgalloway , i do have access for the index=abc don't know why data is not coming into that host , while checking in backend able to see logs coming on daily basis , but it is not ingesting in index=abc .

While in backend am able to follow this path /home/sv_cidm/files and able to see logs

what should I do know , please help your help will be appreciated .

Thanks

richgalloway · ‎12-29-2023

If it's just that host that is affected then verify the input for that file is present on the host and not disabled. Make sure Splunk still has read access to the file. Check splunkd.log on the host for any messages that might explain the problem.

---
If this reply helps you, Karma would be appreciated.

isoutamo · ‎12-29-2023

Hi

you should tell more about your situation like

your environment
have those come earlier
are you only one who didn't see those
what has changed

Without this kind of base information it's quite frustrating to guess what the reason could be!

There are also quite many similar issues already solved in community. Just try to use google/bing/what ever your search engine is, to see how these are normally solved.

r. Ismo

not able to see logs in index=abc

other

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...