Getting Data In

Why has Splunk stopped indexing all log files?

cboard
Explorer

I've recently started using Splunk and it was working fine but at some point seems to have stopped indexing any logs.

I was trying to get a forwarder working so I'm guessing I've done something in trying to get the forwarder working that I've broken the main Splunk.

I've not been able to find anything relevant, everything I've come across (through Google searches) is more of a specific log not being indexed but, in my case, it seems to that every log has stopped.

From the search, I've done index=* and it only comes back with data from the 19th but I know the logs have been updated for today.

Where can I look for any problems?

Thanks

0 Karma

mthq
Engager

I seem to have a similar issue, running a standalone environment for 3 days - first two had events indexed but today I have "No results found." Monitoring single file - /var/log/mhn/mhn-splunk.log

This is college project and I seem to got stuck here. When checking splunkd.log I see:

0-21-2018 16:55:59.240 +0000 ERROR JsonLineBreaker - JSON StreamId:201389110879379108 had parsing error:Unexpected character: '-' - data_source="/var/log/mhn/mhn-splunk.log", data_host="ubuntu-s-2vcpu-4gb-ServerLondon-01", data_sourcetype="MHN"

The source file keeps getting populated.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You should post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should first look in splunkd to see if there's any errors. You could do this by looking at the file directly under $SPLUNK_HOME/var/log/splunk/splunkd.log or from Splunk Web by putting this in the search bar index=_internal sourcetype=splunkd error

What does your Splunk environment look like? Are you in a distributed environment or standalone system? What changes did you make to the Splunk forwarder?

0 Karma

adonio
Ultra Champion
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...