Getting Data In

splunk stop indexing data

madisonAvalos
Engager

All my other indexes are indexing data.
I created a new one, and i need to have 1164 data and its only appear 994, i run the sql query directly with dbxquery and there is 1164 data.
Even there are 1164 data when im created the new input, But when i saved in the index, it just appears 994.
and is not indexing more data. I used raising column and select time to used like ID. i tried used batch input and just index 994 data

any ideas?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Here's how I would triage this issue -

First, you need to figure out which events are NOT being indexed. The chances are pretty good that you have 170 events that are somehow invalid, at least according to your configuration, but until you identify the difference, it's all guesswork.

So, take your SQL query, and cut it down so that it returns, say, 20 records. Then do the same search against your index and see how many records you get. You are looking for any query that gets you a small number of changes, so that you can identify what is different about the records that are not getting indexed.

If you can't find any differences, then start doing a binary search on your data. By which, I mean, cut the data in half, and see which half has differences in it. Keep splitting the data in half, and picking a half that has differences, until you get the results to be small enough that you can see which transaction is being dropped. (It may turn out to be a result that is twice in the SQL, and being indexed only once, although it probably isn't that.)

Once you see one record that is being dropped, compare it to the records that are being indexed and look for obvious differences. Pay special attention to null fields and required fields and fields that might have bad data or odd characters in them.

Finally, if nothing jumps out at you, then you will have to go through your configurations, one step at a time, and see how the record that was dropped would be processed. Look for any reason that it might be sent to the null queue, or, perhaps, to a different index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...