Hello
I have a big problem with the addition of data.
initially given 9 million are added. but after I find Splunk removes one million data.
Can you help please.
Hello every one,
Thank you for your participation,
I found the problem , but I did not understand why the problem is that I have more time , I added from the fields of these dates in TIMESTAMP_FIELDS after I left That a single TIMESTAMP_FIELDS field , I'll find out why . and what is the criteria on TIMESTAMP_FIELDS ??
What do you see with this search:
| tstats count valuse(sourcetype) where index=* OR index=_*
this command gives 0 event and null values
It's a typo, he was mentioning this:
| tstats count values(sourcetype) where index=* OR index=_*
Just FYI, if your free space falls below 5GB, Splunk will stop indexing by default.
If this is the case, you might need to delete some temp files from your OS.
Or you can adjust this limit by going to : Settings -> System Settings -> General Settings -> Pause indexing if free disk space (in MB) falls below *
after searching , I think the problem comes from three files , I install Splunk entreprise in other computer problems remains with me these three files , I replaced these files by three other files of the same format and size but different data, me the data are added without problem.
Thank you all
You have tagged this splunk-enterprise
but then you mention "splunk light" What are you using?
Now I use splubk Entrprise . (before I used splunk light I has not found The Problem)
Splunk is a FIFO system so if your index is set at a size of 80G and 10M events is roughly 1G, then the first (earliest) 10G will be frozen (purged) to make room for the last (latest) 10G.
Thank you for your reaction,
I create author index and , and I created a folder only contains three files, the Splunk began indexing but at some point it removes all that has indexed(COUNT EVENT=0) , knowing that I have not found this problem in Splunk light.
index characteristic:
range=ALL Time
The Max Size=500GB
index.conf:
[indexTest]
coldPath = $SPLUNK_DB/ffjj/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/indexTest/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/indexTest/thaweddb
disabled = 0
input.conf:
[monitor:///data/splunk/test]
disabled = false
index = indexTest
sourcetype = LICENCIE
Have you set your search time range to "All Time" ?
If it doesn't work, then go to Settings -> Indexes -> click on your index
1. Check your index How big is "Current Size" and "Max Size"?
2. How many "Event Count" are shown?
You might need to add more space if your index is running out of space
Thank you for you reaction,
range=ALL Time
The Max Size=500GB
The current Size=1MB (I find it also removes all events)
Event Count=0