<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Splunk not indexing data for files in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117044#M24401</link>
    <description>&lt;P&gt;How do you know they're not getting indexed? The thing I see immediately is that the timestamp is pretty far into the event so Splunk probably won't pick it up using default settings. Instead it'll resort to other means of determining the events' timestamps (see &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps&lt;/A&gt; ). How are you looking for the events you expect to see? Are you searching over all time? Do you have a specific sourcetype that you're looking for? Give us more details about how you've setup the input and what you've done to determine things aren't working, please.&lt;/P&gt;</description>
    <pubDate>Mon, 28 Oct 2013 06:33:02 GMT</pubDate>
    <dc:creator>Ayn</dc:creator>
    <dc:date>2013-10-28T06:33:02Z</dc:date>
    <item>
      <title>Splunk not indexing data for files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117043#M24400</link>
      <description>&lt;P&gt;Hi, &lt;/P&gt;

&lt;P&gt;I have the following events in my log files. These are tab delimited fields. The files are not getting indexed by Splunk.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;78a581fb-c193-45b0-86c5-2736777c7b58    60ef9efb-496f-1050-34bb-a9a1c782a7ba    All Hosts   10.0    \N  \N  \N  \N  \N  2.2 \N  \N  31.996002197265625  15.100006103515625  16.89599609375  52.80658499015208   15.998001098632812  3.590625    1.122210511757889   16.89599609375  2013-10-23 00:00:00 2013-10-23 00:59:59
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;a3532c01-3b5e-4dd1-9508-b2153f98b4f0    a854ba84-57fb-0bc6-e241-00a050dab35a    Marc's Servers  3.0 \N  \N  \N  \N  \N  1.3333333333333333  \N  \N  7.9211578369140625  3.3072255452473955  4.613932291666667   58.24820546012715   7.9211578369140625  0.6666666666666666  0.2524883408685066  4.613932291666667   2013-10-23 00:00:00 2013-10-23 00:59:59&lt;/P&gt;

&lt;P&gt;a8ea7c79-50f5-4851-947a-3dcdbfab1cf5    d5a74d0c-c896-42e8-70f8-beedc69105f6    All Hosts   150.0   100.0   75.0    25.0    25.0    4.0 4.0 6.0 150.0   399.9500274658203   -0.05028128147136357    400.0003087472916   100.01257189099096  15.998001098632812  4.0 1.500187420417857   400.0003087472916   2013-10-23 00:00:00 2013-10-23 00:59:59&lt;/P&gt;

&lt;P&gt;Would you know why that would be the case. I tried indexing iis log files and they are working fine as expected.&lt;/P&gt;

&lt;P&gt;PLease let me know, if you would any additional information for troubleshooting.&lt;/P&gt;

&lt;P&gt;Thanks,&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 04:26:53 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117043#M24400</guid>
      <dc:creator>sourabhguha</dc:creator>
      <dc:date>2013-10-28T04:26:53Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not indexing data for files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117044#M24401</link>
      <description>&lt;P&gt;How do you know they're not getting indexed? The thing I see immediately is that the timestamp is pretty far into the event so Splunk probably won't pick it up using default settings. Instead it'll resort to other means of determining the events' timestamps (see &lt;A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps"&gt;http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps&lt;/A&gt; ). How are you looking for the events you expect to see? Are you searching over all time? Do you have a specific sourcetype that you're looking for? Give us more details about how you've setup the input and what you've done to determine things aren't working, please.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 06:33:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117044#M24401</guid>
      <dc:creator>Ayn</dc:creator>
      <dc:date>2013-10-28T06:33:02Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not indexing data for files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117045#M24402</link>
      <description>&lt;P&gt;here are details that you requested. Following are the sourcetypes in my system. i have highlighted the one corresponding to my input. Splunk has identified there are 196 files for that sourcetype. See this image - &lt;A href="http://sdrv.ms/1iosB8H"&gt;http://sdrv.ms/1iosB8H&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;However, when i try to search for it, in the data summary - i do not see any events from that sourcetype. see image here - &lt;A href="http://sdrv.ms/1iosMRf"&gt;http://sdrv.ms/1iosMRf&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;here is the sample log file that i am indexing into splunk - &lt;A href="http://sdrv.ms/1g6yDht"&gt;http://sdrv.ms/1g6yDht&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;thanks.&lt;/P&gt;</description>
      <pubDate>Mon, 28 Oct 2013 12:02:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117045#M24402</guid>
      <dc:creator>sourabhguha</dc:creator>
      <dc:date>2013-10-28T12:02:03Z</dc:date>
    </item>
    <item>
      <title>Re: Splunk not indexing data for files</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117046#M24403</link>
      <description>&lt;P&gt;Hi Ayn, did the above information help with understanding the root cause of the issue?&lt;/P&gt;</description>
      <pubDate>Wed, 30 Oct 2013 15:16:58 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Splunk-not-indexing-data-for-files/m-p/117046#M24403</guid>
      <dc:creator>sourabhguha</dc:creator>
      <dc:date>2013-10-30T15:16:58Z</dc:date>
    </item>
  </channel>
</rss>

