New Deployment - Unable to Query (Dead Indexer?)

Hi everyone,

I’ve got my deployment up and running and ingesting events. I’m able to see various streams but when I query for any data I always receive “data is not available for the selected duration”.

The thing that’s standing out to me is the indexer is flat. The relevant services are all up and green and I’m ingesting a fairly low EPS, but I would expect to see the indexer showing something on the graph.

Any recommendations to troubleshoot indexing?

Hi there,

Can you reconfirm the physical setup - looks like the cluster has not initiated.

This doc should have clues - Troubleshooting Search - Knowledge Base

Let me know what you see.

Suman

Great thank you for the quick reply!

I did manage to get it to query on one of the winlogbeat streams successfully. However when I try and search for some of my generic syslog that I still need to write parsers for, I always seem to return the “data is not available for the selected duration” error regardless of how I try and query.

I did come across this article (even though its for version 8.x) that gave some examples on how to search the non-standard logs. The adapter shows those logs as they come in as NLF but i can’t seem to find a way to show the log.

Is there a recommended method for getting the raw logs for NLF’s so I can start writing the parser?

Thanks again!

Hi Tenways,
Can you please elaborate - which is this device that is in Syslog for which you want to write Extractors( Yeah, we call them Extractors now :slight_smile: ) ?
Please check our Extractor list here to see if your device is already here.
Also, you can check our Release Board to see if we already have plans made for that device.

Regards,
BodhiSaar

Hi @Tenways

In addition to above suggestions from @BodhiSaar , here is a similar topic on forum that might help —> Observing Error While Searching

PS: I guess, raw log events can be seen in the field/column named “$LogEvent”, you can check this out.

Hope this helps.