Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

indexed data missing for source type

kteng2024
Path Finder
‎07-27-2017 01:08 PM

Data already been indexed for a sourcetype is missing in splunk . Can i please know how to troubleshoot the issue . events in splunk in splunk are missing for only those 2 days but events are available before and after those 2 days.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 01:16 PM

Have you searched all time? Sounds like timestamp issues...

- MattyMo
0 Karma
Reply

kteng2024
Path Finder
‎07-27-2017 02:19 PM

no timestamp change.

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎07-27-2017 03:43 PM

what is the date of the missing data?
Is the sourcetype looking ok real time?
what is the source and sourcetype of the data. how is it collected?
Are you an admin?
Is it possible it is collected in daily files and rolled over, and somehow those two days were lost, or need to be re-indexed?

#hunt for the source file, may show you exactly where to find the raw data, if meta is not overwritten
    index=<yourIndex> sourcetype=<yourSourcetype> | stats count by source | head 10000

#Look at the configuration for the particular sourcetype. 
    ./splunk btool inputs list <yourInput>  --debug
    ./splunk btool props list  <yourSourcetype> --debug


#if you get to the point you are chasing buckets
    check out | db inspect
- MattyMo
0 Karma
Reply

hardikJsheth
Motivator
‎07-27-2017 10:56 PM

The reason why data is missing will depend on how its getting indexed

If you are monitoring a file which is managed via logrotation, then problem can be with the filechecksum. Splunk may have already indexed data from the beginning of the file and file was rotated which may have resulted in data not getting indexed from rest of the file.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...