Hello, My SearchHead(s) Search App’s Summary Dashboard does not display any information in the All indexed data, Sources , Source Types, and Hosts panels. I can seem to figure out why; however, I am able to search all my indexes just fine.
I am running a Distributed search setup where my SearchHead(s) DO NOT INDEX instead each SearchHead has the Light Forwarder App Enabled and _internal index is being forwared. Below is a btool dump of outputs.conf fromthe searchhead.
[tcpout]
system autoLBFrequency = 30
system blockOnCloning = true
system compressed = false
system connectionTimeout = 20
searchhead defaultGroup = ssl-autolb-group
system disabled = false
system dropClonedEventsOnQueueFull = 5
system dropEventsOnQueueFull = -1
system forceTimebasedAutoLB = false
SplunkForw forwardedindex.0.whitelist = .*
SplunkForw forwardedindex.1.blacklist = _.*
SplunkForw forwardedindex.2.whitelist = _audit
searchhead forwardedindex.3.whitelist = _internal
SplunkForw forwardedindex.filter.disable = false
system heartbeatFrequency = 30
system indexAndForward = false
system maxConnectionsPerIndexer = 2
system maxFailuresPerInterval = 2
SplunkForw maxQueueSize = 500KB
system readTimeout = 300
system secsInFailureInterval = 1
system sendCookedData = true
system useACK = false
system writeTimeout = 300
searchhead [tcpout:ssl-autolb-group]
searchhead autoLB = true
searchhead autoLBFrequency = 30
searchhead compressed = true
searchhead disabled = false
searchhead forceTimebasedAutoLB = true
searchhead server = myindexer01:9997, myindexer02:9997,myindexer03:9997
searchhead sslCertPath = $SPLUNK_HOME/etc/apps/mycustome_app/bin/auth/splunkCombinedCert.pem
searchhead sslRootCAPath = $SPLUNK_HOME/etc/apps/mycustome_app/bin/auth/SplunkCAcert.pem
searchhead sslVerifyServerCert = false
searchhead useACK = true