https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379850#M68617 <P>Probably we've figured out the root cause. Last week we indexed 20 gb for this instance within one day and have a configured thruput of 256 kb. So it was only a delayed indexing and not a "outage" of the forwarder itself.</P> Mon, 18 Feb 2019 08:58:39 GMT Paul1896 2019-02-18T08:58:39Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379840#M68607 <P>Hello,</P> <P>we have problems with some log files which are randomly don't get indexed for a couple of hours. There is no log rotation during this time period and sometimes even no restart of the splunk forwarder is neccessary to start again with indexing.</P> <P>Output splunkd.log filtered for affected "audit_log":</P> <PRE><CODE> 02-12-2019 12:09:57.358 +0100 DEBUG ChunkedLBProcessor - Chunked Line Breaker Processing has been disabled for for sourcetype::audit_log 02-12-2019 12:09:57.358 +0100 INFO UTF8Processor - Converting using CHARSET="UTF-8" for conf "source::/xxx/audit.log|host::xxx|Haudit_log|339419" 02-12-2019 06:33:16.783 +0100 INFO S2SSender - Abandoning channel with code=2, conf="source::/xxx/audit.log|host::xxx|audit_log|339419", unique_id=422585, last_touched=1549948674, last_touched_asctime="Tue Feb 12 06:17:54 2019", age=922281, ttl=300000 02-12-2019 06:17:54.985 +0100 INFO Metrics - group=per_sourcetype_thruput, series="audit_log", kbps=0.06303521503133032, eps=0.5483843194729626, kb=1.9541015625, ev=17, avg_age=0.6470588235294118, max_age=5 02-12-2019 06:17:54.503 +0100 DEBUG TcpOutputProc - Pushed eventId=61 on chanId=422585 to back of tcp client (tcp output) queue. source:source::/xxx/audit.log|host::xxx|audit_log|339419 </CODE></PRE> Tue, 12 Feb 2019 13:11:51 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379840#M68607 Paul1896 2019-02-12T13:11:51Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379841#M68608 <P>If there is log rotation and you do not have some kind of housekeeping setup to delete the older files, the Splunk forwarder will get slower and slower and slower. Once you hit thousands of files in the same directory, Splunk will seem to stop forwarding completely. You have to keep the number of dead files low.</P> Tue, 12 Feb 2019 16:22:36 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379841#M68608 woodcock 2019-02-12T16:22:36Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379842#M68609 <P>Hey @woodcock thanks for your reply! We have a housekeeping in place and the monitor doesn't match the older logs which are already rotated. So in my understanding the size &amp; total of files of/in the folder itself isn't important in case if your monitor just indexing a specified logfile in it. Please correct me if I'm wrong. We also facing the problem only from time to time and after a while or a reboot the logging works without any problems.</P> Wed, 13 Feb 2019 07:54:33 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379842#M68609 Paul1896 2019-02-13T07:54:33Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379843#M68610 <P>Your understanding is completely wrong. Even though the rotated files do not match the monitor stanza, they still have a deadly impact on the forwarder. Splunk still has to sort through them and when they pile up, Splunk performance will crater. Restarting Splunk causes it to work for a short short spurt and then it goes right back to poor performance. Here is an easy way to fix it.</P> <P><A href="https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html">https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html</A></P> Wed, 13 Feb 2019 16:08:15 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379843#M68610 woodcock 2019-02-13T16:08:15Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379844#M68611 <P>What version of Splunk are you using? There are some v6 releases that have big problems like this:</P> <P><A href="https://answers.splunk.com/answers/549663/splunk-661-stops-monitoring-files.html#answer-718797">https://answers.splunk.com/answers/549663/splunk-661-stops-monitoring-files.html#answer-718797</A></P> Wed, 13 Feb 2019 17:26:23 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379844#M68611 woodcock 2019-02-13T17:26:23Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379845#M68612 <P>@Paul1896 - about how many files we are talking about on this path? </P> Wed, 13 Feb 2019 18:12:33 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379845#M68612 ddrillic 2019-02-13T18:12:33Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379846#M68613 <P>@ddrillic We're talking just about 220 files</P> Thu, 14 Feb 2019 13:35:08 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379846#M68613 Paul1896 2019-02-14T13:35:08Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379847#M68614 <P>We're using Splunk 7.1.5</P> Thu, 14 Feb 2019 13:35:23 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379847#M68614 Paul1896 2019-02-14T13:35:23Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379848#M68615 <P>If that's the case, the number of files couldn't be the issue.</P> Thu, 14 Feb 2019 15:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379848#M68615 ddrillic 2019-02-14T15:09:26Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379849#M68616 <P>It can if the <CODE>depth</CODE> is not limited. Are there any <CODE>...</CODE> in the file path? Are there hundreds of other potential path points with many files in them? This can still be the problem!!!</P> Thu, 14 Feb 2019 21:08:43 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379849#M68616 woodcock 2019-02-14T21:08:43Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379850#M68617 <P>Probably we've figured out the root cause. Last week we indexed 20 gb for this instance within one day and have a configured thruput of 256 kb. So it was only a delayed indexing and not a "outage" of the forwarder itself.</P> Mon, 18 Feb 2019 08:58:39 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379850#M68617 Paul1896 2019-02-18T08:58:39Z https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379851#M68618 <P>That would definitely do it. Please click <CODE>Accept</CODE> here to close the question.</P> Wed, 06 Mar 2019 09:16:04 GMT https://community.splunk.com/t5/Getting-Data-In/data-stop-getting-indexed-for-couple-of-hours/m-p/379851#M68618 woodcock 2019-03-06T09:16:04Z