Getting Data In

How to find out why Splunk Indexer re-indexed my IIS logs?

New Member

Recently, my Splunk environment decided to re-index ALL of my IIS logs (which crushed my daily license quota). I have been tasked with finding the root cause of why that happened.

Is there anyway to find in the Splunk logs why it decided to re-index all these logs?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

A place to start would be to look at timestamps on your fishbucket.. Fishbucket is responsible for keeping pointers of what's been indexed, so this would be a reasonable assumption to check

0 Karma

SplunkTrust
SplunkTrust

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

View solution in original post

0 Karma

New Member

Looks like a new deployed was created that monitored the IIS log location and the old deployed app was removed.

Would that cause Splunk to re-index? I thought that data was separate from the app.

0 Karma

SplunkTrust
SplunkTrust

Usually not, but it depends on the old and new input configuration.

0 Karma

SplunkTrust
SplunkTrust

It would. Once the old app was removed, it will clear Splunk's monitoring list/_fishbucket which tracks the files being monitored (and till what point it has monitored the log file). When the new app was deployed, Splunk will treat that a new data monitoring and will read the file from start and can cause duplicates.

0 Karma