I have a big problem with the addition of data.
initially given 9 million are added. but after I find Splunk removes one million data.
Can you help please.
Hello every one,
Thank you for your participation,
I found the problem , but I did not understand why the problem is that I have more time , I added from the fields of these dates in TIMESTAMP_FIELDS after I left That a single TIMESTAMP_FIELDS field , I'll find out why . and what is the criteria on TIMESTAMP_FIELDS ??
It's a typo, he was mentioning this:
| tstats count values(sourcetype) where index=* OR index=_*
Just FYI, if your free space falls below 5GB, Splunk will stop indexing by default.
If this is the case, you might need to delete some temp files from your OS.
Or you can adjust this limit by going to : Settings -> System Settings -> General Settings -> Pause indexing if free disk space (in MB) falls below *
after searching , I think the problem comes from three files , I install Splunk entreprise in other computer problems remains with me these three files , I replaced these files by three other files of the same format and size but different data, me the data are added without problem.
Thank you all
Splunk is a FIFO system so if your index is set at a size of 80G and 10M events is roughly 1G, then the first (earliest) 10G will be frozen (purged) to make room for the last (latest) 10G.
Thank you for your reaction,
I create author index and , and I created a folder only contains three files, the Splunk began indexing but at some point it removes all that has indexed(COUNT EVENT=0) , knowing that I have not found this problem in Splunk light.
The Max Size=500GB
coldPath = $SPLUNK_DB/ffjj/colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/indexTest/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/indexTest/thaweddb
disabled = 0
disabled = false
index = indexTest
sourcetype = LICENCIE
Have you set your search time range to "All Time" ?
If it doesn't work, then go to Settings -> Indexes -> click on your index
1. Check your index How big is "Current Size" and "Max Size"?
2. How many "Event Count" are shown?
You might need to add more space if your index is running out of space