Getting Data In

Why has Splunk stopped indexing my files?

dshakespeare_sp
Splunk Employee
Splunk Employee

Customer reported that a standalone Splunk Indexer had stopped indexing any monitored files.
They also noticed that :

  • Splunks _internal index was no longer been written to.
  • The Splunk GUI was available and "splunk status" showed splunk was running
  • Splunks log files in $SPLUNK_HOME/var/log/splunk were being written to corectly

dshakespeare_sp
Splunk Employee
Splunk Employee

In splunkd.log the following error was observered

WARN  TailingProcessor - Called run() on disabled instance.  Will not run.

This message appears when disabled=true is set in a global/default stanza in inputs.conf
In $SPLUNK_HOME/etc/system/local/inputs.conf it was found that the following stanza had been mistakenly set

[default]
disabled = 1
index = test
sourcetype = testing

When this stanza was removed and Splunk was restarted, indexing resumed correctly

jplumsdaine22
Influencer

Don't forget to mark as answered 🙂

Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...