Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How come when I try to add data, there is no ingestion is happening?

splunkannm
New Member
‎10-15-2018 12:57 PM

Im trying to use the index once option of add data to ingest a 6G tsv file. It does not show any preview and does not ingest data though it says successful ( 0 events ).

it has 4.5 million records.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-16-2018 03:25 PM

Hi @splunkannm,

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎10-15-2018 05:40 PM

Hi splunkannm,

if you have a large amount of data to index once, put it into $SPLUNK_HOME/var/spool/splunk/ this is a sinkhole directory. Anything you put in there will be indexed, and once indexed it will be deleted by Splunk.
The events will be available in index=main or whatever you did setup as the default index.

More details in the docs here http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorFilesandDirectories#Why_use_upload_or...

If you need to specify a different index or sourcetype, simply create another sinkhole directory using inputs.conf and the [batch://...] stanza http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#BATCH_.28.22Upload_a_file.22_in_...

Hope this helps ...

cheers, MuS

0 Karma
Reply

splunkannm
New Member
‎10-16-2018 03:27 PM

While this is useful information , that I will keep note of, my question is why is the add data option not working and throwing a JS error (404). I even tried a simple file as below :

a,b,c
1,2,3

0 Karma
Reply

pruthvikrishnap
Contributor
‎10-15-2018 04:38 PM

Hi,
Try selecting a suitable sourcetype while indexing the data.
Also as adonio mentioned, please try indexing a file which has less volume and check if everything works fine.

0 Karma
Reply

splunkannm
New Member
‎10-15-2018 04:41 PM

I tried with a simple one liner file as mentioned in my comment above. Its not working still..

0 Karma
Reply

splunkannm
New Member
‎10-15-2018 01:30 PM

Actually its more like -> add data even a one line csv is not working . Getting this JS error

splunkd/_raw/services/dmc-conf/settings/settings?output_mode=json&=1539635024124 404 not found

0 Karma
Reply

adonio
Ultra Champion
‎10-15-2018 04:34 PM

the single file upload is limited to 500MB
try and monitor the file:
http://docs.splunk.com/Documentation/Splunk/7.2.0/Data/Monitorfilesanddirectories

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...