Dear All,
I am facing difficulty in loading all the evtx files in a folder to Splunk.
I am using free Splunk version for learning. My folder has 306 files, Splunk loaded only 212 files. In another case my folder has 47 files, but Splunk loaded only 3 files. I am having this issue even after trying multiple times while the count of files loaded successfully keeps changing.
Kindly help me with the possible reasons of this happening.
MMM
Another thing to check would be if Splunk is freezing buckets because they are older than are allowed by frozenTimePeriodInSecs. If the evtx data is older than your index retention policy then Splunk will index and then freeze them. Do you see any _internal logs indicating freezing buckets for your index that should contain the evtx data?
(replace <yourindex> with your index name below)
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" sourcetype=splunkd component=BucketMover bkt="'/opt/splunk/var/lib/splunk/<yourindex>*" freeze
Hi tscroggings,
Thanks a lot for replying and sorry for not mentioning the size of data. The size of data has always been below 100MB.
Hi @MMMM,
Is that the size of the evtx files on disk or the size of the events after they're indexed? Have you confirmed you haven't reached the Splunk Free license limit?
It is the size of evtx files on disk. I have confirmed I have not reached the limit. Size after indexing is much below than the size on disk as it is not loading all the files.
Hi @MMMM,
Splunk Free is limited to 500 MB of ingest per day. How large are the indexed events?
You can check for license alerts under Settings > Licensing, although an alert should also appear under Messages.
You can run a simple search to see daily usage over time:
| tstats sum(PREFIX(b=)) as bytes where index=_internal source=*license_usage.log* TERM(type=RolloverSummary) earliest=-7d@d latest=now by _time span=1d
| eval MB=round(bytes/1024/1024)
If your daily usage is over 500 MB, Splunk Free will stop indexing new data, i.e. your evtx files, when the limit is reached.