The "list index out of range" appears to be a red herring, as I also see it on fresh 5.0.1 install with no observable errors in the UI. I've filed it as SPL-58736, referencing this question. @megancarney: Please open a support case ( https://www.splunk.com/page/submit_issue ) and upload the diagnostic file generated by "splunk diag". A screenshot of the error in the web browser would also help. ... View more

In addition to what Matt asked for - if you really want to do a fresh install, you should 1) uninstall, 2) delete the splunk installation directory, 3) install. ... View more

Is a completely fresh install, or an upgrade? ... View more

That's very strange. A few questions: Which OS? Which package type (.rpm, .tgz, etc)? What was the exact upgrade steps you took (how uninstalled, how installed, etc.)? The migration trigger is a file, named "ftr", that lives in the root of your Splunk installation. This file is present at install/upgrade time, and is deleted by a successful migration. However, if migration somehow managed to be skipped, usually your configuration would still be in good shape... Also, take a look earlier in splunkd.log, before the PluginException messages that you pasted above. There should be WARN or ERROR messages from IndexProcessor indicating why it failed to come up. ... View more

what about ignoreOlderThan? ... View more

This has been forwarded to the web team, thanks. Will also find out whether we have a public facing webmasterish address... ... View more

At this point the monthly bulk "mv $CURRENTLOGS $OLDLOGS/something" job can be eliminated, as the new cron job would simply move $LOGFILE to the appropriate month's directory based on its metadata. Let me know whether you agree with the concerns stated above and whether a briefly delayed solution works for you. If not, we can always discuss other ideas, but I believe the above is the simplest solution. // And now, to go file a bug on max comment length here... ... View more

One way to make this work very well is if you can live with a 1-2 minute indexing delay (think: realtime data stream running a minute or two behind). If so, you can use the [DESTRUCTIVE] "sinkhole" input that exists on all Splunk instances. The idea is to setup a cron job that uses "find" to move all logs older than a couple of minutes to the archive directory, and simultaneously copy the file into the sinkhole directory. As soon as the sinkholed file is read, it will be deleted. This will keep the amount of monitored files (in the sinkhole) low, reducing memory usage. ... View more

network hiccups causing delays in sending files, indexers backing up due to a large burst of data, just plain having a network & indexer setup that is regularly outpaced by log file growth, etc. So, monitoring the CURRENTLOGS directory in your scenario may not turn out to be entirely reliable. More typical logging strategies create fewer files that are larger and are rotated individually instead of as an entire directory, making it a bit easier to avoid this problem. ... View more

If there are many processes running every second and each process is creating one or more files per run, your file rotation strategy will create a race that could cause some data to be missed. When it comes time to "mv $CURRENTLOGS $OLDLOGS/something" and "mkdir $CURRENTLOGS", there's no guarantee that Splunk has indexed all of the logs being moved - for example, 100 processes could spin up in the seconds before the "mv" and the files they created may be moved out of the way before Splunk has a chance to see them. There are many reasons for the forwarder to fall behind like this: ... View more

Sorry for the delay in responding. We should be able to manage the amount of tracked files (and thus file-scanning performance & the amount of memory used), although a straight-forward setup with this rate of file creation can have some caveats, so we may resort to a couple of tricks. I'll explain my concerns below, and you can consider their validity. Let's say the path setup is: CURRENTLOGS=/path/to/app/instance1/logs/live OLDLOGS=/path/to/app/instance1/logs/archive ... View more

I should note that as of recent Splunk versions (4.2 or 4.3), it may be harder to see the "blocked" messages. An additional thing to check would be current vs max queue size, with: grep --color group=queue.*current_size_kb var/log/splunk/metrics.log ...as the queues could be at 95-99% capacity, but not emitting "blocked" messages because they're not at 100% (due to queuing strategy changes in recent versions). ... View more

Mark, an exact recommendation depends on a few more details about your setup. It's recommended to avoid monitoring many hundreds of thousands of files in a single Splunk instance, as the current implementation can be heavy on memory usage - although if you're on a very beefy server, it's possible you won't care about that much. Scaling up to two million files actively monitored in a single instance is an untested scenario, so hopefully your data is arranged in such a way that we can ingest it in batches. Before we get to that, you're correct that consolidating your syslog-ng files is a smart move. In general, monitoring fewer files is a good thing. Hoever, it's important to remember that you should not lump different types of log data into a single file. You should keep apache, sendmail, etc all in separate files, but you can certainly combine the streams coming from different hosts running the same application type. This will allow you to continue effectively using sourcetypes. For the main issue with millions of log files, some questions come to mind: Growth is expected to be upwards of 2 million files per month - are we only going to be monitoring new files, or do you also want to index the 2M files from April, the 2M from March, and so on? What is the topology here? What can we expect in terms of data transport from the original log source to Splunk indexer? Are these 2M files distributed amongst various server instances, and you expect to use the Universal Forwarder on each server? Or are they instead being collected centrally, and you're looking to index the logs over NFS? If it's the latter, we may want to use the [DESTRUCTIVE] "sinkhole" input method and copy the logs over in batches. Is there a directory hierarchy for the 2M files that will allow us to efficiently blacklist out known old data? "ignoreOlderThan" is certainly helpful in speeding up file tracking, but there is still the startup-time cost of gathering each file's data, and each blacklisted file is still tracked, meaning the memory is still being used. Blacklisting an entire subdirectory is much more efficient, as we will simply avoid recursing into the directory. The above details are important for any large-ish deployment - once we have a better picture of your scenario, we can provide a more concrete list of steps to get your data flowing. And if you're experimenting on your own, you may want to have a look at this script to get an idea of what the Tailing Processor is doing at any given moment: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/ Amrit ... View more

See --reset @ http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/CommandlinetoolsforusewithSupport#btprobe ... View more

$SPLUNK_DB/persistentstorage (also for fschange). ... View more

Hey sorry, there was an issue a couple of days ago and it appears those files were removed. Can you upload them one more time? 🙂 ... View more

Thanks. We'll take a look at the PML file - in the meantime, can you also attach any Splunk-*.log files in %TEMP%? There should be at least one left behind by the installer's attempt to start splunk initially, and this may have more stdout logging. ... View more

Is it possible for you to help debug this with Process Monitor from http://www.sysinternals.com ? We haven't been able to repro the issue in-house. You'll want to start Process Monitor and add the following two filter (Ctrl+L) entries (I'll separate the fields with pipes for clarity): Process Name|contains|splunk|Include Operation|contains|process|Include Clear (Ctrl+X) the ProcMon log, and then start up Splunk as normal, and after the problem shows up, Save the events to a file (native PML format is fine). I don't think you can upload files to Answers, but you can create a case at the Splunk Support portal and then attach a file to your case. ... View more