All Apps and Add-ons

Some log files not getting indexed

Path Finder

I'm using Splunk 4.2.1 Enterprise Trial

I have a directory C:\TestLogs\ set up to be the root dir of log files to consume for indexing.
Yesterday, I dropped 4 directories of 3 files each in there.
Only 6 files showed up in the Splunk Search Summary page.
(I see those files listed in C:\Program Files\Splunk\var\log\splunk\license_usage.log)

How do I get Splunk to index the other 6 files?

Today, in C:\Program Files\Splunk\var\log\splunk\license_audit.log, I see:

07-12-2011 00:00:00.210 INFO LicenseManager-Audit - Audit:[quotaExceededCount=0, lastExceedDate=0, peak=509953709, rolloverCount=1, totalCumulativeBytesAtRollover=509953709, todaysBytesIndexed=509953709, licenseSize=524288000]

Did I exceed my quota for the trial?

0 Karma
1 Solution

Path Finder

Yes, user has access to the log files. They are not binary files, and they are not duplicate copies.

I rebooted the PC, and it appears to have resumed indexing the remaining log files.

In C:\Program Files\Splunk\var\log\splunk\license_audit.log, I see:

07-13-2011 00:00:00.568 INFO LicenseManager-Audit - Audit:[quotaExceededCount=0, lastExceedDate=0, peak=37783088, rolloverCount=2, totalCumulativeBytesAtRollover=37783088, todaysBytesIndexed=37783088, licenseSize=524288000]

View solution in original post

Path Finder

Yes, user has access to the log files. They are not binary files, and they are not duplicate copies.

I rebooted the PC, and it appears to have resumed indexing the remaining log files.

In C:\Program Files\Splunk\var\log\splunk\license_audit.log, I see:

07-13-2011 00:00:00.568 INFO LicenseManager-Audit - Audit:[quotaExceededCount=0, lastExceedDate=0, peak=37783088, rolloverCount=2, totalCumulativeBytesAtRollover=37783088, todaysBytesIndexed=37783088, licenseSize=524288000]

View solution in original post

SplunkTrust
SplunkTrust

Hi NK

did you search for your logfiles in splunk, like source=YourLogFiles - are they really not there? there could be many reasons for that:

  • has the user running splunk read access to the files?
  • are those missing files binary? if so they, are not indexed.
  • are those files copies of the indexed files? if so they are not indexed again.
  • search index=_internal for your missing files to see what's in the logs

I don't think you ran into a quota problem, because the log states

quotaExceededCount=0

which means you had no quote exceeded.

regards