Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out why Splunk Indexer re-indexed my IIS logs?

Nahra
New Member
‎01-12-2017 09:37 AM

Recently, my Splunk environment decided to re-index ALL of my IIS logs (which crushed my daily license quota). I have been tasked with finding the root cause of why that happened.

Is there anyway to find in the Splunk logs why it decided to re-index all these logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 09:51 AM

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-12-2017 10:13 AM

A place to start would be to look at timestamps on your fishbucket.. Fishbucket is responsible for keeping pointers of what's been indexed, so this would be a reasonable assumption to check

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 09:51 AM

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

0 Karma
Reply
Solved! Jump to solution

Nahra
New Member
‎01-12-2017 11:04 AM

Looks like a new deployed was created that monitored the IIS log location and the old deployed app was removed.

Would that cause Splunk to re-index? I thought that data was separate from the app.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 02:13 PM

Usually not, but it depends on the old and new input configuration.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-12-2017 11:23 AM

It would. Once the old app was removed, it will clear Splunk's monitoring list/_fishbucket which tracks the files being monitored (and till what point it has monitored the log file). When the new app was deployed, Splunk will treat that a new data monitoring and will read the file from start and can cause duplicates.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...