Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Slow indexing?

attgjh1
Communicator
‎05-31-2012 07:58 PM

Simple question here:

ive been logging several logs recently. (often exceeding the 500mb cap)
however, the indexing seems to have stopped for quite some time now.

ive added a new SINGLE log for testing stuff. up til now (since yesterday), the indexing has not occured. Could it be those old indexes are not done as when i started splunk this morning, there were some logs been indexed still but after a while the summary dashboards stopped updating, which i assumed = done. but my new file isnt there yet 😞

Hope for some troubleshooting advice.

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:25 PM

I would guess that you're out of space on one of the volumes on which Splunk runs or stores data. By default, Splunk will simply stop indexing when there is less then 2 GB of free space on any volume. You can adjust this threshhold using the minFreeSpace setting in server.conf. You should also adjust the maximum space an index can use before Splunk starts discarding the oldest events to prevent this from happening in the future, but fiddling with indexes.conf index and volume size settings. just be aware that this can get complicated fast.

0 Karma
Reply

attgjh1
Communicator
‎05-31-2012 10:43 PM

i hav alot of free space on my harddisk still. my bucket limit are at default.

ive temporarily upgraded my license as well to a 5gig/day one. im stumped why it isnt indexing fast enough.

every restart i do gets more logs in. when i first booted my comp i had logs at 8:55am from the old batch of logs.
then a r/s at 11.40am showed new stuff under sources but the '8:55' entries were now missing. and no indexing occured from 11.45am onwards.

on closer inspection. my sources from yesterday were gone too!

im nt sure if i should force another restart.

0 Karma
Reply

mloven_splunk
Splunk Employee
Splunk Employee
‎05-31-2012 09:12 PM

Sounds like you tripped the 500MB license limit one too many times. I assume you're either using the Enterprise trial, or the Free license? If so, you can only trip the license limit 5 times (Enterprise), or 3 times (Free) within a 30 day time period.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎05-31-2012 09:23 PM

No, if he had overrun the license, indexing would continue, but none of his dashboards or searches would display or return any data. More likely, he's out of space on his disk.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...