Hello Guys,
I have these very huge problem of indexed data getting deleted. Basically i am doing following steps.
I edit /etc/system/local/inputs.conf with following monitor stanza. Basically indexing multiple files under directory mydata with custom sourcetype.
[monitor:///mydata/month_data_20*.csv]
disabled = false
followTail = 0
sourcetype = data_performance
crcSalt = SOURCE
I start the server /opt/splunk/bin/splunk start
I see data getting indexed on splunk web. all files are indexed correctly and to their max size. I also see indexed event counts under manager -> indexes -> main = total event count (405,897 around).
Now I logout from splunk web and stop the splunk instance. /opt/splunk/bin/splunk stop
I do nothing after stopping but simply start the splunk instance again with /opt/splunk/bin/splunk start
I still see same count of indexed event on dashboard live. Now I again go to manager - > indexes - > main . count is same (405,897). But now as I now again open dashboard live i see indexed events to 1 only. And under total events counts in main I see 1 now instead of total indexed events (405,897).
I dont understand what is the problem here. 😞 is it with stanza that I include under inputs.conf ???
Please help me out guys I am running out of time to complete these.
Hi mehal
have you searched for your indexed data?
index=main sourcetype=data_performance
btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.
cheers,
MuS
Hi mehal
have you searched for your indexed data?
index=main sourcetype=data_performance
btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.
cheers,
MuS
not to indexes.conf but i have added can delete role in admin.. Also my data is of 1987. so timestamp is of 1987 when indexed.
Also, have you made any modifications to indexes.conf or user roles?
for sure it does 😉 run this please:
| rest /services/data/indexes | where totalEventCount > 0 | table title totalEventCount
Yes i tried these way but no luck. It shows 1 event count under indexes page. Splunk does not retain indexes when it is stopped ??