Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Having trouble with Indexes and Monitors working together

Ari_McEwing
New Member
‎07-15-2016 05:22 AM

Hello Splunk Community,

I have finally reached a place where I know what I want to do and believe I know the right avenue to do so, yet I am still having trouble getting the pieces to work. I have changed the inputs.conf and the indexes.conf in the local directory ($Splunk\etc\system\local) so that there is a monitor on a few local directories and the frozenTimePeriodInSecs is 1 week.

My goal is to bring in files to the directories with a scheduled task once per week and then Freeze the data so the index is completely wiped every week minus an hour (essentially having only the newest data for 1 week periods and then removing it completely so new data takes its place). My issue is that when testing, the freeze works, but the monitoring seems to stop working after the first freeze. Is there a reason the monitored files are not being received? Also, does the Freeze require a splunkd restart each time or will it work as I hope?

Any and all feedback on the Freeze information and monitoring information would be a great help. Thanks!

0 Karma
Reply

masonmorales
Influencer
‎07-15-2016 09:20 AM

Could the files you are monitoring be unchanged since the previous week? If so, Splunk won't want to re-index the same data. You can get around this by writing a script to "one-shot" the directories to Splunk each week. Take a look at: http://docs.splunk.com/Documentation/Splunk/latest/Data/MonitorfilesanddirectoriesusingtheCLI

The freeze should work fine. You don't need to restart Splunk for the freeze to take effect - Splunk takes care of this for you.

0 Karma
Reply

jplumsdaine22
Influencer
‎07-15-2016 09:17 AM

Lots of possible reasons for new files not being indexed - can you post the relevant inputs.conf monitors? The Frozen time on your index is separate from the monitor processes and does not affect it.

The most likely reason is that your new files appear to be identical to the old ones, but if you share your inputs we can get a better idea.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...