Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data not showing up in search

sourabhguha
Explorer
‎04-05-2013 07:20 AM

Hi,

I have an existing sourcetype for which I had some data earlier by pointing to a file. The events in the file show up in the search. Now I added another file and used the same sourcetype for it. However, the events from the new file do not show up in the search. i believe they are not getting indexed.

Please let me know what additional information or logs i can provide to help investigate this issue.

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BobM
Builder
‎04-05-2013 07:44 AM

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ihuzaifazahoor
New Member
‎02-03-2020 04:17 AM

Try to change preset value to All Time,Try to change your preset to All Time

0 Karma
Reply
Solved! Jump to solution
Solution

BobM
Builder
‎04-05-2013 07:44 AM

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...