Getting Data In

Question on Indexed data getting deleted

mehal
New Member

Hello Guys,

I have these very huge problem of indexed data getting deleted. Basically i am doing following steps.

  1. I edit /etc/system/local/inputs.conf with following monitor stanza. Basically indexing multiple files under directory mydata with custom sourcetype.

    [monitor:///mydata/month_data_20*.csv]
    disabled = false
    followTail = 0
    sourcetype = data_performance
    crcSalt = SOURCE
    
  2. I start the server /opt/splunk/bin/splunk start

  3. I see data getting indexed on splunk web. all files are indexed correctly and to their max size. I also see indexed event counts under manager -> indexes -> main = total event count (405,897 around).

  4. Now I logout from splunk web and stop the splunk instance. /opt/splunk/bin/splunk stop

  5. I do nothing after stopping but simply start the splunk instance again with /opt/splunk/bin/splunk start

  6. I still see same count of indexed event on dashboard live. Now I again go to manager - > indexes - > main . count is same (405,897). But now as I now again open dashboard live i see indexed events to 1 only. And under total events counts in main I see 1 now instead of total indexed events (405,897).

I dont understand what is the problem here. 😞 is it with stanza that I include under inputs.conf ???

Please help me out guys I am running out of time to complete these.

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi mehal

have you searched for your indexed data?

index=main sourcetype=data_performance 

btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.

cheers,
MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi mehal

have you searched for your indexed data?

index=main sourcetype=data_performance 

btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.

cheers,
MuS

0 Karma

mehal
New Member

not to indexes.conf but i have added can delete role in admin.. Also my data is of 1987. so timestamp is of 1987 when indexed.

0 Karma

Drainy
Champion

Also, have you made any modifications to indexes.conf or user roles?

0 Karma

MuS
SplunkTrust
SplunkTrust

for sure it does 😉 run this please:

| rest /services/data/indexes | where totalEventCount > 0 | table title totalEventCount

0 Karma

mehal
New Member

Yes i tried these way but no luck. It shows 1 event count under indexes page. Splunk does not retain indexes when it is stopped ??

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...