- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Unable to load all evtx files in a folder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unable to load all evtx files in a folder
Dear All,
I am facing difficulty in loading all the evtx files in a folder to Splunk.
I am using free Splunk version for learning. My folder has 306 files, Splunk loaded only 212 files. In another case my folder has 47 files, but Splunk loaded only 3 files. I am having this issue even after trying multiple times while the count of files loaded successfully keeps changing.
Kindly help me with the possible reasons of this happening.
MMM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another thing to check would be if Splunk is freezing buckets because they are older than are allowed by frozenTimePeriodInSecs. If the evtx data is older than your index retention policy then Splunk will index and then freeze them. Do you see any _internal logs indicating freezing buckets for your index that should contain the evtx data?
(replace <yourindex> with your index name below)
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" sourcetype=splunkd component=BucketMover bkt="'/opt/splunk/var/lib/splunk/<yourindex>*" freeze
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi tscroggings,
Thanks a lot for replying and sorry for not mentioning the size of data. The size of data has always been below 100MB.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MMMM,
Is that the size of the evtx files on disk or the size of the events after they're indexed? Have you confirmed you haven't reached the Splunk Free license limit?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is the size of evtx files on disk. I have confirmed I have not reached the limit. Size after indexing is much below than the size on disk as it is not loading all the files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MMMM,
Splunk Free is limited to 500 MB of ingest per day. How large are the indexed events?
You can check for license alerts under Settings > Licensing, although an alert should also appear under Messages.
You can run a simple search to see daily usage over time:
| tstats sum(PREFIX(b=)) as bytes where index=_internal source=*license_usage.log* TERM(type=RolloverSummary) earliest=-7d@d latest=now by _time span=1d
| eval MB=round(bytes/1024/1024)If your daily usage is over 500 MB, Splunk Free will stop indexing new data, i.e. your evtx files, when the limit is reached.
Buttercup Games: Further Dashboarding Techniques (Part 6)
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts
