Getting Data In

Splunk not indexing data for files



I have the following events in my log files. These are tab delimited fields. The files are not getting indexed by Splunk.

78a581fb-c193-45b0-86c5-2736777c7b58    60ef9efb-496f-1050-34bb-a9a1c782a7ba    All Hosts   10.0    \N  \N  \N  \N  \N  2.2 \N  \N  31.996002197265625  15.100006103515625  16.89599609375  52.80658499015208   15.998001098632812  3.590625    1.122210511757889   16.89599609375  2013-10-23 00:00:00 2013-10-23 00:59:59

a3532c01-3b5e-4dd1-9508-b2153f98b4f0 a854ba84-57fb-0bc6-e241-00a050dab35a Marc's Servers 3.0 \N \N \N \N \N 1.3333333333333333 \N \N 7.9211578369140625 3.3072255452473955 4.613932291666667 58.24820546012715 7.9211578369140625 0.6666666666666666 0.2524883408685066 4.613932291666667 2013-10-23 00:00:00 2013-10-23 00:59:59

a8ea7c79-50f5-4851-947a-3dcdbfab1cf5 d5a74d0c-c896-42e8-70f8-beedc69105f6 All Hosts 150.0 100.0 75.0 25.0 25.0 4.0 4.0 6.0 150.0 399.9500274658203 -0.05028128147136357 400.0003087472916 100.01257189099096 15.998001098632812 4.0 1.500187420417857 400.0003087472916 2013-10-23 00:00:00 2013-10-23 00:59:59

Would you know why that would be the case. I tried indexing iis log files and they are working fine as expected.

PLease let me know, if you would any additional information for troubleshooting.


Tags (3)
0 Karma


How do you know they're not getting indexed? The thing I see immediately is that the timestamp is pretty far into the event so Splunk probably won't pick it up using default settings. Instead it'll resort to other means of determining the events' timestamps (see ). How are you looking for the events you expect to see? Are you searching over all time? Do you have a specific sourcetype that you're looking for? Give us more details about how you've setup the input and what you've done to determine things aren't working, please.

0 Karma


Hi Ayn, did the above information help with understanding the root cause of the issue?

0 Karma


here are details that you requested. Following are the sourcetypes in my system. i have highlighted the one corresponding to my input. Splunk has identified there are 196 files for that sourcetype. See this image -

However, when i try to search for it, in the data summary - i do not see any events from that sourcetype. see image here -

here is the sample log file that i am indexing into splunk -


0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!