Re: Data not ingested for only a few days

ishugupta · ‎09-12-2014

I am facing a weird issue ,A particular file has only been ingested for 4 days day even though we we have been receiving it for last 10 days .
I looked the configuration , inputs.conf and props.conf , they are unchanged and the data got ingested yesterday as well .
I have gone through the logs on the forwarder as well .
Can you please tell me where I can look for error on indexers , or can there be any potential issue that someone can point out?

sowings · ‎09-12-2014

If the new file that gets placed there is "too similar" to the prior version, Splunk will refuse to index it on the belief that it already has. By "too similar" I mean "if the first <default> 256 bytes are the same". This size can be updated (see initCrcLength in inputs.conf).

ishugupta · ‎09-12-2014

we keep on placing new file each day.
I researched more , I checked the log on the indexer license_usage.log , I can see the entry there...still I cant pull up the file on the console..

sowings · ‎09-12-2014

More information please:

Is ths new contents on the same filename (i.e. a complete replacement)?

Or is it continued additions to a single file? (i.e. same file growing larger day by day)

Data not ingested for only a few days

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases