Knowledge Management

My data isn't being indexed.

Path Finder

I don't have a clue anymore. My data hasn't been indexed anymore. I attempted all the three ways of Files & Directories but couldn't figure out why.

Here's my steps:

1- Place the file to be indexed on the splunk instance.

2- Enter with the path on the F&D (monitor a file or a directory)

3- Selected the default as my index

And that's it. Even though my indexed data is not showing up

Does anybody have a clue what is missing ?

I have checked the Index out on the Splunk Web and the main index still 0 MB. In other words, it hasnt been indexed.

Tags (2)


What are the properties of this file? Are you sure that it is accessible / readable by splunk? Check its permissions. Have you tried inputing other files? Do you get any data in? what happens if you run a search for index=_internal do you see any data coming in at all?

Path Finder

It's an Event Viewer file. its readable by splunk, since the server has at the same directory structure some indexed files. the _internal index would be my second question. I went there to check my internal index out, but its gone. I'm running splunk on test environment, so I cleaned all the index data more than one. I guess during this test the internal index has stopped indexing.

0 Karma

Splunk Employee
Splunk Employee

There are numerous ways to troubleshoot this, with the following being my suggestions:

  1. Make sure you are not indexing duplicate data/files, where the first 256 bytes might be similar. If this is happening, then you should investigate how to index duplicate files.
  2. Run a search that specifies your exact file, all indexes, and all time. NOT using the exact file, all indexes, and all time are the most common mistake. For example, the search should resemble (select the TimeRange over All-Time):

    index=* source=/path/to/your/file*

Path Finder

I already did this. even if I was indexing same files the first of them should appear here. I tryed looking for all indexes and the source, a string inside the file, but without success

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...