Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is latest data in monitored paths in my Windows folders not getting indexed?

shariinPH
Contributor
‎03-30-2015 12:36 AM

I am monitoring certain paths in my Windows folders..
I have already done the following:
Put crcSalt on my inputs.conf
Commanded clan all in my forwarder
Commanded my indexer to clan event data on that certain index.

I am confused why it's not indexing past and latest data.
Someone help me pls.
Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎08-10-2015 08:16 AM

It turns out that ignoreOlderThan works differently than many people assume. It does NOT examine events; rather it tracks the modification time of the monitored file. If many of the files haven't been written to for upwards of a month, Splunk will stop monitoring them and once Splunk makes this decision, it is permanent. So even if the files have been modified recently, Splunk will never care. In other words, avoid ignoreOlderThan like the plague and remember to take it back out if you ever do have to use it (e.g. first time data onboard).

0 Karma
Reply

satishsdange
Builder
‎03-30-2015 12:41 AM

Could you please share some more information such as inputs.conf, outputs.conf,
output of "tail -100f splunkd.log | grep TcpOutputProc" on UF, enabled receiving?

0 Karma
Reply

shariinPH
Contributor
‎03-30-2015 12:53 AM

hi satishsdaange!
here's my inputs.conf on my universal forwarder

[monitor://G:\OperationData\Atr_RdngINDRA\ZDanning\...\*-*funn.txt]
disabled = false
index = dun_trial
sourcetype = findun
ignoreOlderThan = 25d
_TCP_ROUTING=maydev

my props.conf in my indexer is:

[findun]
DATETIME_CONFIG = NONE
MAX_TIMESTAMP_LOOKAHEAD = 150
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
pulldown_type = 1

note that i already removed my crcSalt

0 Karma
Reply

satishsdange
Builder
‎03-30-2015 12:56 AM

could you please run on UF "tail -100f splunkd.log | grep TcpOutputProc" & share result

0 Karma
Reply

shariinPH
Contributor
‎03-30-2015 01:01 AM

but i have checked the file splunk.log and copied some txt

03-30-2015 14:54:37.228 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=G:\OperationData\Mtr_RdngINDRA\ZDunning\030815\0200-20150225dunn.txt).  Last time we saw this initcrc, filename was different.  You may wish to use a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
03-30-2015 14:54:37.259 +0800 ERROR TailingProcessor - File will not be read, seekptr checksum did not match (file=G:\OperationData\Mtr_RdngINDRA\ZDunning\030815\0300-20150225dunn.txt).  Last time we saw this initcrc, filename was different.  You may wish to use a CRC salt on this source.  Consult the documentation or file a support case online at http://www.splunk.com/page/submit_issue for more info.
0 Karma
Reply

satishsdange
Builder
‎03-30-2015 02:14 AM

Well, I wanted to check whether UF is forwarding data to indexers or not? Could you please confirm that?

0 Karma
Reply

shariinPH
Contributor
‎03-30-2015 02:33 AM

on my other monitored paths, yes it is forwarding data, but not all the files and logs were forwarded. what do you think is the problem with this?

0 Karma
Reply

shariinPH
Contributor
‎03-30-2015 01:00 AM

hi, im using windows os for my splunk

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...