Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Slow indexing?

attgjh1
Communicator
‎05-31-2012 07:58 PM

Simple question here:

ive been logging several logs recently. (often exceeding the 500mb cap)
however, the indexing seems to have stopped for quite some time now.

ive added a new SINGLE log for testing stuff. up til now (since yesterday), the indexing has not occured. Could it be those old indexes are not done as when i started splunk this morning, there were some logs been indexed still but after a while the summary dashboards stopped updating, which i assumed = done. but my new file isnt there yet 😞

Hope for some troubleshooting advice.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:25 PM

I would guess that you're out of space on one of the volumes on which Splunk runs or stores data. By default, Splunk will simply stop indexing when there is less then 2 GB of free space on any volume. You can adjust this threshhold using the minFreeSpace setting in server.conf. You should also adjust the maximum space an index can use before Splunk starts discarding the oldest events to prevent this from happening in the future, but fiddling with indexes.conf index and volume size settings. just be aware that this can get complicated fast.

0 Karma
Reply

attgjh1
Communicator
‎05-31-2012 10:43 PM

i hav alot of free space on my harddisk still. my bucket limit are at default.

ive temporarily upgraded my license as well to a 5gig/day one. im stumped why it isnt indexing fast enough.

every restart i do gets more logs in. when i first booted my comp i had logs at 8:55am from the old batch of logs.
then a r/s at 11.40am showed new stuff under sources but the '8:55' entries were now missing. and no indexing occured from 11.45am onwards.

on closer inspection. my sources from yesterday were gone too!

im nt sure if i should force another restart.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎05-31-2012 09:12 PM

Sounds like you tripped the 500MB license limit one too many times. I assume you're either using the Enterprise trial, or the Free license? If so, you can only trip the license limit 5 times (Enterprise), or 3 times (Free) within a 30 day time period.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:23 PM

No, if he had overrun the license, indexing would continue, but none of his dashboards or searches would display or return any data. More likely, he's out of space on his disk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...