topic Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256486#M49288 <P>Can you post a few log samples? Have you tried searching for a known missing log over all time? In the future? (<CODE>earliest=now latest=+1mon</CODE>)</P> Thu, 14 Jul 2016 21:44:46 GMT twinspop 2016-07-14T21:44:46Z How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256481#M49283 <P>Hi,</P> <P>We have an issue with Splunk getting data into indexes. We are getting data only during one hour (12.00 AM to 12.59 AM) every day. We have not specified any interval though in inputs.conf.</P> <P>Can you please advise why it is restricting indexing to this one hour?</P> <P>Please note that we have data in log files, verified our Universal forwarders side.</P> <P>Thanks</P> Thu, 14 Jul 2016 19:18:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256481#M49283 splunker9999 2016-07-14T19:18:30Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256482#M49284 <P>Could you post your inputs.conf configuration? Do you see on Data Summary the data is being indexed?</P> Thu, 14 Jul 2016 19:33:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256482#M49284 gfreitas 2016-07-14T19:33:18Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256483#M49285 <P>Hi Below is in inputs.conf.</P> <P>[monitor:///inpu/server*/logs/ca/data/]<BR /> disabled = 0<BR /> sourcetype = app:fp__ca<BR /> index = imdc_a</P> <P>yes, we could see in datasummary the data is available from 12.00 AM to 12.59 AM.</P> <P>Thanks<BR /> Sarath</P> Tue, 29 Sep 2020 10:13:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256483#M49285 splunker9999 2020-09-29T10:13:05Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256484#M49286 <P>Do you see any messages on splunkd.log?</P> Thu, 14 Jul 2016 19:45:43 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256484#M49286 gfreitas 2016-07-14T19:45:43Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256485#M49287 <P>No, we don't see any errors or message </P> Thu, 14 Jul 2016 20:03:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256485#M49287 splunker9999 2016-07-14T20:03:10Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256486#M49288 <P>Can you post a few log samples? Have you tried searching for a known missing log over all time? In the future? (<CODE>earliest=now latest=+1mon</CODE>)</P> Thu, 14 Jul 2016 21:44:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256486#M49288 twinspop 2016-07-14T21:44:46Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256487#M49289 <P>Below are sample logs </P> <PRE><CODE>07-14-2016 00:00:09.430 -0700 INFO ClientSessionsManager:Listener_AppEvents - Received count=3 AppEvents 07-14-2016 00:00:09.702 -0700 INFO PubSubSvr - Subscribed: channel=tenantService/handshake/reply/sgplu803/164E6DE8-9406-48ED-87D3-72BE00EFCC3E </CODE></PRE> Fri, 15 Jul 2016 00:03:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256487#M49289 splunker9999 2016-07-15T00:03:28Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256488#M49290 <P>Can you see the index time?<BR /> ・・・| eval indextime=strftime(_indextime,"%Y/%m/%d %H:%M:%S")|table _time indextime</P> <P>Or format of this log can be confirmed?</P> Fri, 15 Jul 2016 00:36:09 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256488#M49290 HiroshiSatoh 2016-07-15T00:36:09Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256489#M49291 <P>Hello splunker9999, have you confirmed there are logs on the instance with timestamps outside of (12.00 AM to 12.59 AM) ? </P> Fri, 15 Jul 2016 01:52:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256489#M49291 phadnett_splunk 2016-07-15T01:52:50Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256490#M49292 <P>Yes confirm, Today also we got event from 12.00 to 12.59 AM</P> Fri, 15 Jul 2016 17:05:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256490#M49292 splunker9999 2016-07-15T17:05:05Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256491#M49293 <PRE><CODE>_time and Index time for my data: Indexing is stopped exactly around 1.00 AM 50 Per Page Format Preview Prev 1 2 3 4 5 6 7 8 9 ... Next _time indextime 2016-07-15 00:59:59.665 2016/07/15 01:00:00 2016-07-15 00:59:59.665 2016/07/15 01:00:00 2016-07-15 00:59:54.652 2016/07/15 00:59:55 2016-07-15 00:59:54.652 2016/07/15 00:59:55 2016-07-15 00:59:49.642 2016/07/15 00:59:50 </CODE></PRE> Fri, 15 Jul 2016 17:08:15 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256491#M49293 splunker9999 2016-07-15T17:08:15Z Re: How to troubleshoot why data is only getting indexed in Splunk for 1 hour every day with no interval specified in inputs.conf? https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256492#M49294 <P>Hello Splunk9999, sorry for the confusion, I meant the actual log file you are monitoring. </P> Fri, 15 Jul 2016 17:12:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-troubleshoot-why-data-is-only-getting-indexed-in-Splunk/m-p/256492#M49294 phadnett_splunk 2016-07-15T17:12:13Z