Why Splunk doesn't index all the lines in a monito...

andrei_radu · ‎11-16-2016

Hello,

I use Splunk Universal Forwarder 6.3.4 on a centralized syslog collector and it's set to monitor a folder populated with symbolic links. (inputs.conf content below).

[monitor:///service/rsyslog/splunk/critical_systems/]
followSymlink = true
host_segment=5
sourcetype = critical_unix
index = critical_systems

Everything went good until i noticed that not all the lines inside the monitored files are being indexed. I'm not filtering anything with props.conf and transforms.conf. There's no pattern for the lines that are skipped, everything is random.

Any idea why this is happening and how to fix it?

Thanks!

andrei_radu · ‎11-22-2016

I found my problem. There were 2 different apps monitoring the same location, sending data to different indexes. So logs went randomly into only one index. Disabled one of the apps and now everything looks fine.

ddrillic · ‎11-20-2016

When we index, we make an assumption that the Splunk time stamp process works well.

We see here an example where this process didn't work as expected - Can't index new data..? :S

It says -

lguinn2 · ‎11-20-2016

Do you see any messages in $SPLUNK_HOME/var/log/splunk/splunkd.log? In particular, I would look at this log file on the forwarder

Why Splunk doesn't index all the lines in a monitored file?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!