Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk not indexing data

Sheela
Path Finder
‎02-07-2012 02:22 PM

I have a Splunk indexer which hasn't been indexing logs from the past 3-4 days. I'm trying to troubleshoot and have gone through the usual checklist of items that I found by researching splunkbase. The most common reason, of course is disk being full. I have over 50% of the disk free. Second, I haven't configured my indexer as a forwarder. All the logs that I'm indexing are on the same box as the indexer. After reviewing splunkd.log, these are the only two things that stood out-

02-04-2012 10:58:48.643 WARN DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Mon Oct 29 09:24:24 2012) outside of the acceptable time window. If this timestamp is correct, consider adjusting MAX_DAYS_AGO and MAX_DAYS_HENCE.

So just to debug the issue, in props.conf, I set:
MAX_DAYS_HENCE=2000
MAX_DAYS_AGO=10951
(And restarted Splunk) because I thought Splunk was trying to index logs in the future.
That didn't work either.

This the other error message:

02-06-2012 05:11:34.353 INFO TailingProcessor - Could not send data to output queue (parsingQueue), retrying...
02-06-2012 05:11:34.353 INFO TailingProcessor - ...continuing.

Could someone please tell me firstly, does the DateParserVerbose Warning have anything to do with Splunk not indexing data AT ALL? Secondly, please tell me how I can resolve this.
Any help will be appreciated. Thank you.

Tags (1)
Reply

Brian_Osburn
Builder
‎02-07-2012 05:48 PM

Have you tried searching for "All Time" in the drop down selector?

Can you post a snippet of the log format so we can get the props.conf set correctly if that's the case..

Brian

Reply

Sheela
Path Finder
‎02-22-2012 09:23 AM

This was my bad. I apologize, this is a syslog issue. Thanks so much for your help.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...