Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has Splunk stopped indexing all log files?

cboard
Explorer
‎03-20-2017 03:27 AM

I've recently started using Splunk and it was working fine but at some point seems to have stopped indexing any logs.

I was trying to get a forwarder working so I'm guessing I've done something in trying to get the forwarder working that I've broken the main Splunk.

I've not been able to find anything relevant, everything I've come across (through Google searches) is more of a specific log not being indexed but, in my case, it seems to that every log has stopped.

From the search, I've done index=* and it only comes back with data from the 19th but I know the logs have been updated for today.

Where can I look for any problems?

Thanks

0 Karma
Reply

mthq
Engager
‎10-21-2018 10:09 AM

I seem to have a similar issue, running a standalone environment for 3 days - first two had events indexed but today I have "No results found." Monitoring single file - /var/log/mhn/mhn-splunk.log

This is college project and I seem to got stuck here. When checking splunkd.log I see:

0-21-2018 16:55:59.240 +0000 ERROR JsonLineBreaker - JSON StreamId:201389110879379108 had parsing error:Unexpected character: '-' - data_source="/var/log/mhn/mhn-splunk.log", data_host="ubuntu-s-2vcpu-4gb-ServerLondon-01", data_sourcetype="MHN"

The source file keeps getting populated.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-21-2018 05:24 PM

You should post a new question.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-20-2017 12:08 PM

You should first look in splunkd to see if there's any errors. You could do this by looking at the file directly under $SPLUNK_HOME/var/log/splunk/splunkd.log or from Splunk Web by putting this in the search bar index=_internal sourcetype=splunkd error

What does your Splunk environment look like? Are you in a distributed environment or standalone system? What changes did you make to the Splunk forwarder?

0 Karma
Reply

adonio
Ultra Champion
‎03-20-2017 05:14 AM

Hi cboard,
try here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...