Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk not indexing data

Sheela
Path Finder
‎02-07-2012 02:22 PM

I have a Splunk indexer which hasn't been indexing logs from the past 3-4 days. I'm trying to troubleshoot and have gone through the usual checklist of items that I found by researching splunkbase. The most common reason, of course is disk being full. I have over 50% of the disk free. Second, I haven't configured my indexer as a forwarder. All the logs that I'm indexing are on the same box as the indexer. After reviewing splunkd.log, these are the only two things that stood out-

02-04-2012 10:58:48.643 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Mon Oct 29 09:24:24 2012) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.

So just to debug the issue, in props.conf, I set:
MAX_DAYS_HENCE=2000
MAX_DAYS_AGO=10951
(And restarted Splunk) because I thought Splunk was trying to index logs in the future.
That didn't work either.

This the other error message:

02-06-2012 05:11:34.353 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
02-06-2012 05:11:34.353 INFO TailingProcessor - ...continuing.

Could someone please tell me firstly, does the DateParserVerbose Warning have anything to do with Splunk not indexing data AT ALL? Secondly, please tell me how I can resolve this.
Any help will be appreciated. Thank you.

Tags (1)
Reply

Brian_Osburn
Builder
‎02-07-2012 05:48 PM

Have you tried searching for "All Time" in the drop down selector?

Can you post a snippet of the log format so we can get the props.conf set correctly if that's the case..

Brian

Reply

Sheela
Path Finder
‎02-22-2012 09:23 AM

This was my bad. I apologize, this is a syslog issue. Thanks so much for your help.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...