https://community.splunk.com/t5/Getting-Data-In/Missing-data-in-ingested-log/m-p/755211#M119839 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230393">@phamxuantung</a>&nbsp;</P><P>When you say you have checked the number of events in the log ingested, are you checking this for the number of events in Splunk or number of lines in the log file?&nbsp;</P><P>Assuming that an event is a single line in the log file, you could do something like this to get the number of events in the log file:</P><LI-CODE lang="markup">wc -l &lt;pathToLog&gt;</LI-CODE><P>This will provide the number of lines in the log, you should then to a check in Splunk:</P><LI-CODE lang="markup">| tstats count where index=yourIndex source=pathToLog</LI-CODE><P>Please can you check these values and let us know what you get back?</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 05 Nov 2025 12:08:25 GMT livehybrid 2025-11-05T12:08:25Z https://community.splunk.com/t5/Getting-Data-In/Missing-data-in-ingested-log/m-p/755206#M119838 <P>Hello,</P><P>I have an input config to monitor file output of Golden Gate (basically content of a Oracle database output as text file in real time). The file is continously write then switch to a new file in a chunk of 10'. The number of event is quite large, also the speed of writing (around 100mil events a day, ~600 events/sec at peak)</P><P>How do I know the log event is missing:&nbsp;</P><P>Because I counted the number of events in DB and counted the number of events in the log ingested. For example from 11:00:00 to 12:00:00, the ingested log have 1mil events, while the database have 2 mil rows.</P><P>The monitored config is as follow:</P><P>[monitor://outputfile/TEXT/RDB22/ISO/*/*/*/*]&nbsp; #The log file save in a partten of year/month/day/hour</P><P>disabled = false</P><P>sourcetype = mycustomsourcetype</P><P>index = mycustomindex</P><P>ignoreOlderThan = 20m</P><P>The sourcetype is as follow</P><P>[mycustomsourcetype]<BR />SHOULD_LINEMERGE = false<BR />LINE_BREAKER = (\r?\n)+I\|<BR />INDEXED_EXTRACTIONS = CSV<BR />FIELD_DELIMITER = |<BR />HEADER_FIELD_LINE_NUMBER = 0<BR />KV_MODE= none<BR />TRUNCATE = 999999<BR />TIME_PREFIX = \|(?=20\d{2}-\d{2}-\d{2}\s)<BR />TIME_FORMAT = %Y-%m-%d %H:%M:%S<BR />MAX_TIMESTAMP_LOOKAHEAD = 19<BR /><BR /></P><P>Any help with how to troubleshoot this problem would be very appriciate.</P> Wed, 05 Nov 2025 10:21:03 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-data-in-ingested-log/m-p/755206#M119838 phamxuantung 2025-11-05T10:21:03Z https://community.splunk.com/t5/Getting-Data-In/Missing-data-in-ingested-log/m-p/755211#M119839 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230393">@phamxuantung</a>&nbsp;</P><P>When you say you have checked the number of events in the log ingested, are you checking this for the number of events in Splunk or number of lines in the log file?&nbsp;</P><P>Assuming that an event is a single line in the log file, you could do something like this to get the number of events in the log file:</P><LI-CODE lang="markup">wc -l &lt;pathToLog&gt;</LI-CODE><P>This will provide the number of lines in the log, you should then to a check in Splunk:</P><LI-CODE lang="markup">| tstats count where index=yourIndex source=pathToLog</LI-CODE><P>Please can you check these values and let us know what you get back?</P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 05 Nov 2025 12:08:25 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-data-in-ingested-log/m-p/755211#M119839 livehybrid 2025-11-05T12:08:25Z