Alerting

Data not showing up in search

sourabhguha
Explorer

Hi,

I have an existing sourcetype for which I had some data earlier by pointing to a file. The events in the file show up in the search. Now I added another file and used the same sourcetype for it. However, the events from the new file do not show up in the search. i believe they are not getting indexed.

Please let me know what additional information or logs i can provide to help investigate this issue.

Thanks,

Tags (1)
0 Karma
1 Solution

BobM
Builder

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

View solution in original post

0 Karma

ihuzaifazahoor
New Member

Try to change preset value to All Time,Try to change your preset to All Time

0 Karma

BobM
Builder

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...