×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
woolfalr
New Member
Member since: ‎06-14-2012
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-14-2012
Activity Feed
Topics I've Started
View All

Re: Not all events indexed from file

by in Getting Data In
‎06-19-2012 08:16 AM
‎06-19-2012 08:16 AM
Further analysis after reading a couple of other posts - I exported the raw events (from Splunk) and compared to the original file. It shows we really do have events missing. From each input of the file, I get one or more blocks of contiguous missing events; around 1200 events each time. No obvious pattern to this (except fairly consistent size of the missing blocks). Buffering problem? (but as I said, this is straight out of the box, no configuration tweaks) This seems to tie in with a couple of other threads on here but nobody has any answers yet... (ps Please ignore Clue 2 earlier – just confusion on my part. The total events in my example is 27888) ... View more

Re: Not all events indexed from file

by in Getting Data In
‎06-19-2012 08:12 AM
‎06-19-2012 08:12 AM
Nice try, but no ; they are all linecount=1 . Keep the suggestions coming 🙂 ... View more

Not all events indexed from file

by in Getting Data In
‎06-14-2012 08:58 AM
‎06-14-2012 08:58 AM
I’m new to Splunk, and running with the trial licence exactly as it comes out of the box (no fancy config etc.). i.e. Single instance combining search and indexing, on Windows 7. Using the downloaded sample data, I see that by inputting the same data file repeatedly, I get a different number of events indexed each time. So: First I input a file which resulted in 21065 events indexed. (For info this was the apache3.splunk.com/access_combined.log from the sample data). I input the same file again, using a different host value, and got 26776 events on the summary. Further loads (each with different host value) gave 26693 , 27888 and 24210 events. Each input (except one - see CLUE below) seems to be associated with one or more “ERROR HTTPServer - InputStreamConduit write timed out after 5 seconds.” in Splunkd.log . Can anyone help explain this? CLUE 1: There were no errors in Splunkd.log at the time of the input which resulted in 27888 events. CLUE 2: From inspecting the input file myself I’d say it contains 27705 events. CLUE 3: I'm getting similar problem with a different file (apache2) of about the same size. But not with the apache1 sample file which is smaller (9199 events each time consistently) Thanks for any help! Rick ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM