What does this message mean and how does one resolve it. Has appeared now for several days. Using at best 1% of disk space.
skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block
Recommendation: Run the "splunk diag" utility, open a case and upload the diag file to your case, Splunk Support will provide you assistance.
Here are a few things to check, according to the url listed below:
I had this problem while running 5.0 but I believe the root cause was due to forwarding syslog data from a forwarder on the same box as the search head to the indexer (this was due to a work around due to a syslog bug in 5.0).
Once I upgraded to 5.0.1 I had to fsch the database to keep this error for showing up. Stop splunk and run this command.
splunk fsck --all --repair