Solved: How to find out why Splunk Indexer re-indexed my I...

Nahra · ‎01-12-2017

Recently, my Splunk environment decided to re-index ALL of my IIS logs (which crushed my daily license quota). I have been tasked with finding the root cause of why that happened.

Is there anyway to find in the Splunk logs why it decided to re-index all these logs?

martin_mueller · ‎01-12-2017

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

View solution in original post

skoelpin · ‎01-12-2017

A place to start would be to look at timestamps on your fishbucket.. Fishbucket is responsible for keeping pointers of what's been indexed, so this would be a reasonable assumption to check

martin_mueller · ‎01-12-2017

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

Nahra · ‎01-12-2017

Looks like a new deployed was created that monitored the IIS log location and the old deployed app was removed.

Would that cause Splunk to re-index? I thought that data was separate from the app.

martin_mueller · ‎01-12-2017

Usually not, but it depends on the old and new input configuration.

somesoni2 · ‎01-12-2017

It would. Once the old app was removed, it will clear Splunk's monitoring list/_fishbucket which tracks the files being monitored (and till what point it has monitored the log file). When the new app was deployed, Splunk will treat that a new data monitoring and will read the file from start and can cause duplicates.

How to find out why Splunk Indexer re-indexed my IIS logs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases