Getting Data In
Highlighted

Skipped Indexing

Explorer

What does this message mean and how does one resolve it. Has appeared now for several days. Using at best 1% of disk space.

skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block

Tags (1)
0 Karma
Highlighted

Re: Skipped Indexing

Splunk Employee
Splunk Employee

Recommendation: Run the "splunk diag" utility, open a case and upload the diag file to your case, Splunk Support will provide you assistance.

Here are a few things to check, according to the url listed below:

  1. Check disk space on all of your partitions. If your space is too low, then that will cause indexing and searching problems.
  2. Verify that "splunk-optimize" has been running. If you see a large number of *.tsidx files in your buckets, you can simply run splunk-optimize /path/to/your/bucket to force this process to run.
  3. Try disabling some non-essential scheduled saved searches and see if that helps relieve the problem. (You probably don't want to do this for summary-indexing saved searches, if it can be avoided.)

http://splunk-base.splunk.com/answers/7996/down-error-skipped-indexing-of-internal-audit-event-will-...

Highlighted

Re: Skipped Indexing

Communicator

What did this end up being?

0 Karma
Highlighted

Re: Skipped Indexing

Path Finder

I had this problem while running 5.0 but I believe the root cause was due to forwarding syslog data from a forwarder on the same box as the search head to the indexer (this was due to a work around due to a syslog bug in 5.0).

Once I upgraded to 5.0.1 I had to fsch the database to keep this error for showing up. Stop splunk and run this command.

splunk fsck --all --repair
0 Karma
Highlighted

Re: Skipped Indexing

Explorer

In what folder set would I run this command on a Window indexer?

0 Karma