- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Splunk not indexing data for files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk not indexing data for files
Hi,
I have the following events in my log files. These are tab delimited fields. The files are not getting indexed by Splunk.
78a581fb-c193-45b0-86c5-2736777c7b58 60ef9efb-496f-1050-34bb-a9a1c782a7ba All Hosts 10.0 \N \N \N \N \N 2.2 \N \N 31.996002197265625 15.100006103515625 16.89599609375 52.80658499015208 15.998001098632812 3.590625 1.122210511757889 16.89599609375 2013-10-23 00:00:00 2013-10-23 00:59:59
a3532c01-3b5e-4dd1-9508-b2153f98b4f0 a854ba84-57fb-0bc6-e241-00a050dab35a Marc's Servers 3.0 \N \N \N \N \N 1.3333333333333333 \N \N 7.9211578369140625 3.3072255452473955 4.613932291666667 58.24820546012715 7.9211578369140625 0.6666666666666666 0.2524883408685066 4.613932291666667 2013-10-23 00:00:00 2013-10-23 00:59:59
a8ea7c79-50f5-4851-947a-3dcdbfab1cf5 d5a74d0c-c896-42e8-70f8-beedc69105f6 All Hosts 150.0 100.0 75.0 25.0 25.0 4.0 4.0 6.0 150.0 399.9500274658203 -0.05028128147136357 400.0003087472916 100.01257189099096 15.998001098632812 4.0 1.500187420417857 400.0003087472916 2013-10-23 00:00:00 2013-10-23 00:59:59
Would you know why that would be the case. I tried indexing iis log files and they are working fine as expected.
PLease let me know, if you would any additional information for troubleshooting.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do you know they're not getting indexed? The thing I see immediately is that the timestamp is pretty far into the event so Splunk probably won't pick it up using default settings. Instead it'll resort to other means of determining the events' timestamps (see http://docs.splunk.com/Documentation/Splunk/latest/Data/HowSplunkextractstimestamps ). How are you looking for the events you expect to see? Are you searching over all time? Do you have a specific sourcetype that you're looking for? Give us more details about how you've setup the input and what you've done to determine things aren't working, please.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ayn, did the above information help with understanding the root cause of the issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here are details that you requested. Following are the sourcetypes in my system. i have highlighted the one corresponding to my input. Splunk has identified there are 196 files for that sourcetype. See this image - http://sdrv.ms/1iosB8H
However, when i try to search for it, in the data summary - i do not see any events from that sourcetype. see image here - http://sdrv.ms/1iosMRf
here is the sample log file that i am indexing into splunk - http://sdrv.ms/1g6yDht
thanks.
Developer Spotlight with Paul Stout
State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...
Data-Driven Success: Splunk & Financial Services
