Documentation > Splunk > Admin Manual > Not finding the events you're looking for?

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Add data and configure inputs
Set up forwarding and receiving
Configure event processing
Configure event timestamping
Configure indexed field extraction
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Deploy to other Splunk instances
Set up distributed search
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference
Troubleshooting

Not finding the events you're looking for?

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Not finding the events you're looking for?

If you're searching for events and not finding them or looking at a dashboard and seeing "No result data", there could be a couple of reasons why:

Are you running Splunk Free?

Splunk Free does not support scheduled saved searches or summary indexing. If you're in an app that uses search artifacts created by scheduled searches (for example by including them with the HiddenSavedSearch module), those searches will be run on-demand when you view the dashboard. That may result in longer load times than you experienced in the Enterprise or Enterprise Trial versions.

If an app uses summary indexes, however, the summary index(es) will not be updated in a Free version of Splunk because the job scheduler is unavailable. If an app does not already have an alternative Free view defined, you may see "No Results" in dashboards that were relying on summary indexes.

Saved searches that were previously scheduled are still available, and you can run them manually as required. You can also view, move or modify them in the UI or in savedsearches.conf.

Review this topic about object ownership and this topic about configuration file precedence for information about where Splunk writes knowledge objects such as saved searches.

Learn more about Splunk Free

Was the data added under a different app?

When you add an input to Splunk, that input gets added relative to the app you're in. Some apps, like the *nix and Windows apps that ship with Splunk, write input data to a specific index (in the case of *Nix and Windows, that is the 'os' index). If you're not finding data that you're certain is in Splunk, be sure that you're looking at the right index. You may want to add the 'os' index to the list of default indexes for the role you're using. For more information about roles, refer to the topic about roles in this manual.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.1/Admin/Cantfindthedatayourelookingfor"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!