I have some files that I want to index, I have created a new very simple sourcetype that fits my log format, and in the preview it looks fine. When I index the files I can see the event count changing in the search summary, and my source type and sources are showing up as well.
But when I run a search these events never show up! Here are some of the searches I tried, and none of my events from this source type is showing up:
sourcetype=my_source_type
*
sourcetype=*
source=path_to_one_of_the_files
My source type looks like this, and is generated by Splunk, I want to break at every timestamp(I've also tried setting SHOULD_LINEMERGE and LINE_BREAKER to break at every new line to see if that made any difference):
[my_source_type]
NO_BINARY_CHECK = 1
pulldown_type = 1
And my files look like this:
2013-03-18 03:51:28,616 INFO [22] Deleting id=100188304
2013-03-18 03:51:28,631 INFO [22] Deleting id=100188314
2013-03-18 03:51:28,631 INFO [22] Deleting id=100188313
2013-03-18 08:37:51,728 INFO [46] Checking access to 'path'
I'm using a free license for now, and after I've been trying to index these files I exceeded my limit, but this issue occured before exceeding the limit.
Does anyone know why I get this weird problem? :S
UPDATE:
I tried the splunk clean eventdata command in CLI, and then reindex some files with other custom source types that worked before, and I see the event count changing, saying that 133 events are indexed.
Then I run a search for * and Splunk says it has found 133 events, but no events is showing :S
The difference with these events compared to the ones with my new source type is that now Splunk tells me it found 133 events but I can't see them, with the new source type Splunk doesn't find any events at all of that source type...
UPDATE #2:
In case anyone wonders, I checked splunkd.log when I tried to index my files, but no errors, only a warning on two of my files(I tried to index more than two files):
WARN LineBreakingProcessor - Truncating line because limit of 10000 has been exceeded
... View more