Getting Data In

unable to index files after deleting events and creating new sourcetype

Cuyose
Builder

I know splunk has always been a pain when trying to "fix" indexed data. I have deleted events from monitored paths in inputs because they were not indexed correctly via the sourcetype I created in props.conf. So after deleting the bad data, I fixed the props and inputs in the deployment App, pushed and verified the new files got to the servers.

Now even new files in the monitored directory are not being indexed. Ive event restarted the cluster master rolling restart of indexers, set new crcSalt values, etc. Nothing.

Tags (1)
0 Karma
1 Solution

Cuyose
Builder

I had an extra : in my input stanza. For anyone also looking for troubleshooting and that comes across this. The easy way, and what I should have done first is check the _internal index for the file path I was thinking I was monitoring.

View solution in original post

0 Karma

Cuyose
Builder

I had an extra : in my input stanza. For anyone also looking for troubleshooting and that comes across this. The easy way, and what I should have done first is check the _internal index for the file path I was thinking I was monitoring.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...