Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Skipped Indexing

sleathley
Explorer
‎11-02-2010 06:33 PM

What does this message mean and how does one resolve it. Has appeared now for several days. Using at best 1% of disk space.

skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block

Tags (1)
0 Karma
Reply

kphillipson
Path Finder
‎11-28-2012 12:57 PM

I had this problem while running 5.0 but I believe the root cause was due to forwarding syslog data from a forwarder on the same box as the search head to the indexer (this was due to a work around due to a syslog bug in 5.0).

Once I upgraded to 5.0.1 I had to fsch the database to keep this error for showing up. Stop splunk and run this command.

splunk fsck --all --repair
0 Karma
Reply

ITUser1
Explorer
‎03-05-2015 07:21 AM

In what folder set would I run this command on a Window indexer?

0 Karma
Reply

chicodeme
Communicator
‎10-20-2011 09:13 AM

What did this end up being?

0 Karma
Reply

rsimmons
Splunk Employee
Splunk Employee
‎11-02-2010 06:48 PM

Recommendation: Run the "splunk diag" utility, open a case and upload the diag file to your case, Splunk Support will provide you assistance.

Here are a few things to check, according to the url listed below:

  1. Check disk space on all of your partitions. If your space is too low, then that will cause indexing and searching problems.
  2. Verify that "splunk-optimize" has been running. If you see a large number of *.tsidx files in your buckets, you can simply run splunk-optimize /path/to/your/bucket to force this process to run.
  3. Try disabling some non-essential scheduled saved searches and see if that helps relieve the problem. (You probably don't want to do this for summary-indexing saved searches, if it can be avoided.)

http://splunk-base.splunk.com/answers/7996/down-error-skipped-indexing-of-internal-audit-event-will-...

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...