Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What could be causing Splunk Enterprise to re-index the same events every time a new one gets logged?

michaeler
Communicator
‎09-05-2020 09:38 AM

I recently took over as an admin for Splunk on one of my company's networks. We have 4 Forwarders and one enterprise instance. We recently updated our workstations and started getting large increases in events and exceeded our index by 8x everyday.

I recently monitored the data at different points in the day and realized every event is getting re-indexed every minute. I watched one time period grow from 2500 events to 250,000 by the end of the day. If i refreshed the search it would have an additional 1200 events every minute (roughly).

What could be causing Splunk to re-index the same events everytime a new one gets logged?

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-05-2020 09:46 AM

can you provide inputs.conf.

————————————
If this helps, give a like below.
0 Karma
Reply

michaeler
Communicator
‎09-05-2020 03:07 PM

I'm not there and don't have it memorized but its something like this:

[WinEventLog://Security]
disabled = 0
start_from = newest
blacklist = 4648,7310
suppress_text = 1

[WinEventLog://Application]
disabled = 0
start_from = newest
blacklist = 4648,7310
suppress_text = 1

[WinEventLog://System]
disabled = 0
start_from = newest
blacklist = 4648,7310
suppress_text = 1

[perfmon]

disabled = 1

I've previously set "starts_from = oldest" and had the same issues.

0 Karma
Reply

michaeler
Communicator
‎09-05-2020 03:09 PM

Ignore the code numbers on the blacklist. I can't remember the specifics for each of those but I've blacklisted what contributes roughly 90% of all logs for each source.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...