Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How come when I try to add data, there is no ingestion is happening?

splunkannm
New Member
‎10-15-2018 12:57 PM

Im trying to use the index once option of add data to ingest a 6G tsv file. It does not show any preview and does not ingest data though it says successful ( 0 events ).

it has 4.5 million records.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-16-2018 03:25 PM

Hi @splunkannm,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

MuS
Legend
‎10-15-2018 05:40 PM

Hi splunkannm,

if you have a large amount of data to index once, put it into $SPLUNK_HOME/var/spool/splunk/ this is a sinkhole directory. Anything you put in there will be indexed, and once indexed it will be deleted by Splunk.
The events will be available in index=main or whatever you did setup as the default index.

More details in the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorFilesandDirectories#Why_use_upload_or...

If you need to specify a different index or sourcetype, simply create another sinkhole directory using inputs.conf and the [batch://...] stanza http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_...

Hope this helps ...

cheers, MuS

0 Karma
Reply

splunkannm
New Member
‎10-16-2018 03:27 PM

While this is useful information , that I will keep note of, my question is why is the add data option not working and throwing a JS error (404). I even tried a simple file as below :

a,b,c
1,2,3

0 Karma
Reply

pruthvikrishnap
Contributor
‎10-15-2018 04:38 PM

Hi,
Try selecting a suitable sourcetype while indexing the data.
Also as adonio mentioned, please try indexing a file which has less volume and check if everything works fine.

0 Karma
Reply

splunkannm
New Member
‎10-15-2018 04:41 PM

I tried with a simple one liner file as mentioned in my comment above. Its not working still..

0 Karma
Reply

splunkannm
New Member
‎10-15-2018 01:30 PM

Actually its more like -> add data even a one line csv is not working . Getting this JS error

splunkd/_raw/services/dmc-conf/settings/settings?output_mode=json&=1539635024124 404 not found

0 Karma
Reply

adonio
Ultra Champion
‎10-15-2018 04:34 PM

the single file upload is limited to 500MB
try and monitor the file:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Monitorfilesanddirectories

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...