Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Slow indexing?

attgjh1
Communicator
‎05-31-2012 07:58 PM

Simple question here:

ive been logging several logs recently. (often exceeding the 500mb cap)
however, the indexing seems to have stopped for quite some time now.

ive added a new SINGLE log for testing stuff. up til now (since yesterday), the indexing has not occured. Could it be those old indexes are not done as when i started splunk this morning, there were some logs been indexed still but after a while the summary dashboards stopped updating, which i assumed = done. but my new file isnt there yet 😞

Hope for some troubleshooting advice.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:25 PM

I would guess that you're out of space on one of the volumes on which Splunk runs or stores data. By default, Splunk will simply stop indexing when there is less then 2 GB of free space on any volume. You can adjust this threshhold using the minFreeSpace setting in server.conf. You should also adjust the maximum space an index can use before Splunk starts discarding the oldest events to prevent this from happening in the future, but fiddling with indexes.conf index and volume size settings. just be aware that this can get complicated fast.

0 Karma
Reply

attgjh1
Communicator
‎05-31-2012 10:43 PM

i hav alot of free space on my harddisk still. my bucket limit are at default.

ive temporarily upgraded my license as well to a 5gig/day one. im stumped why it isnt indexing fast enough.

every restart i do gets more logs in. when i first booted my comp i had logs at 8:55am from the old batch of logs.
then a r/s at 11.40am showed new stuff under sources but the '8:55' entries were now missing. and no indexing occured from 11.45am onwards.

on closer inspection. my sources from yesterday were gone too!

im nt sure if i should force another restart.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎05-31-2012 09:12 PM

Sounds like you tripped the 500MB license limit one too many times. I assume you're either using the Enterprise trial, or the Free license? If so, you can only trip the license limit 5 times (Enterprise), or 3 times (Free) within a 30 day time period.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:23 PM

No, if he had overrun the license, indexing would continue, but none of his dashboards or searches would display or return any data. More likely, he's out of space on his disk.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top