Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk indexing rate high with no new files in directory monitor

pvols1979
Explorer
‎10-28-2012 01:50 PM

We are "monitoring" a directory on a Splunk indexer host. This is the only input on this particular indexer. The indexing rate has remained constant at 5,000KB/s although no new files have been added to the directory for a few days. How is this possible? Could Splunk be re-indexing the files in this directory? The files have not changed in any way since they were copied over.

0 Karma
Reply

bmacias84
Champion
‎10-29-2012 09:39 AM

Ok, Not sure whats happening. So do you have have schedule task or cron job copy the directories/files over? Are you using CRCsalt? Install SOS (Splunk on Splunk) App or search the _internal index for the source which may give you some ideas.

Considerchanging your File checksum configuration to [endpoint_md5|entire_md5|modtime] in your props.conf.

If no luck up your logging channels on your indexer (I am not familar with all the logging channels):

  • FileInputTracker
  • FileTracker
  • recordFileManager
  • WatchedFile

Also keep in mind that Splunk indexes its own logs as well as those from your Forwarders which is stored in the _internal index. _internal does not count against your license.

Hope this helps or gets you started.

Reply

dewald13
Path Finder
‎10-29-2012 08:29 AM

call support. they'll tell you they'll call you back, then not call you back...

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...