Deployment Architecture

Not indexing

kcav
New Member

We have just set up Distributed search with 2 indexers and one search node. Our data source is a folder with log files. The splunkd.log show many lines with the following
WatchFile - using folow tail will begin reading EOF for F:\splunk\index01....
But we get No results when searching. Are we being impatient?

Tags (2)
0 Karma

kcav
New Member

Thanks for your help

0 Karma

yannK
Splunk Employee
Splunk Employee

it can be :

  • the forwarder has a default thruput limit of 256KBps, and is queuing a large file
  • the events have a misconfigured sourcetype, causing the timestamp/timezone to be misinterpreted, and the events to be in the future (or centuries in the past). Verify with a real-time "alltime" search to see the events that are currently received.

you also can check in your license logs to see is the file has been indexed (index=_internal source=license_usage.log "myfile" )

Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...