Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has Splunk stopped indexing my files?

dshakespeare_sp
Splunk Employee
Splunk Employee
‎01-26-2017 12:50 AM

Customer reported that a standalone Splunk Indexer had stopped indexing any monitored files.
They also noticed that :

  • Splunks _internal index was no longer been written to.
  • The Splunk GUI was available and "splunk status" showed splunk was running
  • Splunks log files in $SPLUNK_HOME/var/log/splunk were being written to corectly
Reply

dshakespeare_sp
Splunk Employee
Splunk Employee
‎01-26-2017 12:59 AM

In splunkd.log the following error was observered

WARN  TailingProcessor - Called run() on disabled instance.  Will not run.

This message appears when disabled=true is set in a global/default stanza in inputs.conf
In $SPLUNK_HOME/etc/system/local/inputs.conf it was found that the following stanza had been mistakenly set

[default]
disabled = 1
index = test
sourcetype = testing

When this stanza was removed and Splunk was restarted, indexing resumed correctly

Reply

jplumsdaine22
Influencer
‎01-26-2017 03:34 AM

Don't forget to mark as answered 🙂

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...