Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My data isn't being indexed.

Caio_Santos
Path Finder
‎09-21-2010 07:56 PM

I don't have a clue anymore. My data hasn't been indexed anymore. I attempted all the three ways of Files & Directories but couldn't figure out why.

Here's my steps:

1- Place the file to be indexed on the splunk instance.

2- Enter with the path on the F&D (monitor a file or a directory)

3- Selected the default as my index

And that's it. Even though my indexed data is not showing up

Does anybody have a clue what is missing ?

I have checked the Index out on the Splunk Web and the main index still 0 MB. In other words, it hasnt been indexed.

Tags (2)
Reply

genti1
Engager
‎09-21-2010 08:38 PM

What are the properties of this file? Are you sure that it is accessible / readable by splunk? Check its permissions. Have you tried inputing other files? Do you get any data in? what happens if you run a search for index=_internal do you see any data coming in at all?

Reply

Caio_Santos
Path Finder
‎09-22-2010 12:20 PM

It's an Event Viewer file. its readable by splunk, since the server has at the same directory structure some indexed files. the _internal index would be my second question. I went there to check my internal index out, but its gone. I'm running splunk on test environment, so I cleaned all the index data more than one. I guess during this test the internal index has stopped indexing.

0 Karma
Reply

Simeon
Splunk Employee
Splunk Employee
‎09-21-2010 08:04 PM

There are numerous ways to troubleshoot this, with the following being my suggestions:

  1. Make sure you are not indexing duplicate data/files, where the first 256 bytes might be similar. If this is happening, then you should investigate how to index duplicate files.

  2. Run a search that specifies your exact file, all indexes, and all time. NOT using the exact file, all indexes, and all time are the most common mistake. For example, the search should resemble (select the TimeRange over All-Time):

    index=* source=/path/to/your/file*

Reply

Caio_Santos
Path Finder
‎09-21-2010 08:13 PM

I already did this. even if I was indexing same files the first of them should appear here. I tryed looking for all indexes and the source, a string inside the file, but without success

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...