Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't index new data..? :S

gelica
Communicator
‎07-24-2013 02:10 AM

I have some files that I want to index, I have created a new very simple sourcetype that fits my log format, and in the preview it looks fine. When I index the files I can see the event count changing in the search summary, and my source type and sources are showing up as well.

But when I run a search these events never show up! Here are some of the searches I tried, and none of my events from this source type is showing up:

  • sourcetype=my_source_type
  • *
  • sourcetype=*
  • source=path_to_one_of_the_files

My source type looks like this, and is generated by Splunk, I want to break at every timestamp(I've also tried setting SHOULD_LINEMERGE and LINE_BREAKER to break at every new line to see if that made any difference):

[my_source_type]
NO_BINARY_CHECK = 1
pulldown_type = 1

And my files look like this:

2013-03-18 03:51:28,616  INFO  [22] Deleting id=100188304
2013-03-18 03:51:28,631  INFO  [22] Deleting id=100188314
2013-03-18 03:51:28,631  INFO  [22] Deleting id=100188313
2013-03-18 08:37:51,728  INFO  [46] Checking access to 'path'

I'm using a free license for now, and after I've been trying to index these files I exceeded my limit, but this issue occured before exceeding the limit.

Does anyone know why I get this weird problem? :S

UPDATE:
I tried the splunk clean eventdata command in CLI, and then reindex some files with other custom source types that worked before, and I see the event count changing, saying that 133 events are indexed.
Then I run a search for * and Splunk says it has found 133 events, but no events is showing :S

The difference with these events compared to the ones with my new source type is that now Splunk tells me it found 133 events but I can't see them, with the new source type Splunk doesn't find any events at all of that source type...

UPDATE #2:
In case anyone wonders, I checked splunkd.log when I tried to index my files, but no errors, only a warning on two of my files(I tried to index more than two files):

WARN  LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gelica
Communicator
‎07-24-2013 06:10 AM

I figured out the reason to my problem, but I'm not sure of how I fixed it 😛

For some reason, Splunk created empty timestamps for my events, and because of that the events didn't show.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gelica
Communicator
‎07-24-2013 06:10 AM

I figured out the reason to my problem, but I'm not sure of how I fixed it 😛

For some reason, Splunk created empty timestamps for my events, and because of that the events didn't show.

0 Karma
Reply
Solved! Jump to solution

gelica
Communicator
‎07-24-2013 04:25 AM

Here is a screenshot of what happens when I'm searching for * (cropped in the middle), as you can see, Splunk claims it finds 410 events but they aren't showing :S

splunk_weird

0 Karma
Reply
Solved! Jump to solution

gelica
Communicator
‎07-24-2013 03:48 AM

I tried both uploading a log once from the web ui, and adding a monitor in the config files. I tried with different log files.
I know that the monitors doesn't index already indexedd files, but if that was the case, the event count wouldn't change in the search summary..

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎07-24-2013 03:28 AM

How did you add the log? from splunk UI? If the option is not selected to continuously collect data, then it will be monitored only once and you will not get the data anymore if it's deleted. Need to add it again.

0 Karma
Reply
Solved! Jump to solution

dariusz_kwasny
Explorer
‎07-24-2013 02:47 AM

Try to add index=* at the beggining of your search. By default, Search App is searching default index only. Maybe, somehow, your events went to different index.

0 Karma
Reply
Solved! Jump to solution

gelica
Communicator
‎07-24-2013 06:00 AM

All of my sourcetypes belong to the main index. I should have rights since I'm running everything locally and I am admin.

0 Karma
Reply
Solved! Jump to solution

jtworzydlo
Path Finder
‎07-24-2013 05:37 AM

Do you know to which index this sourcetype belongs? Do you have rights to view the events of this index? What role are you using?

0 Karma
Reply
Solved! Jump to solution

gelica
Communicator
‎07-24-2013 02:49 AM

I tried your suggestion, unfortunately that wasn't the issue 😕

0 Karma
Reply
Solved! Jump to solution

gelica
Communicator
‎07-24-2013 02:39 AM

I'm searching over all time, so that shouldn't be a problem..

0 Karma
Reply
Solved! Jump to solution

linu1988
Champion
‎07-24-2013 02:37 AM

What's the time interval chosen for the search? as you can see the time in the log will be the index time, it will not be recent data. All other configuration is correct.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top