- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Question on Indexed data getting deleted
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys,
I have these very huge problem of indexed data getting deleted. Basically i am doing following steps.
I edit /etc/system/local/inputs.conf with following monitor stanza. Basically indexing multiple files under directory mydata with custom sourcetype.
[monitor:///mydata/month_data_20*.csv] disabled = false followTail = 0 sourcetype = data_performance crcSalt = SOURCEI start the server /opt/splunk/bin/splunk start
I see data getting indexed on splunk web. all files are indexed correctly and to their max size. I also see indexed event counts under manager -> indexes -> main = total event count (405,897 around).
Now I logout from splunk web and stop the splunk instance. /opt/splunk/bin/splunk stop
I do nothing after stopping but simply start the splunk instance again with /opt/splunk/bin/splunk start
I still see same count of indexed event on dashboard live. Now I again go to manager - > indexes - > main . count is same (405,897). But now as I now again open dashboard live i see indexed events to 1 only. And under total events counts in main I see 1 now instead of total indexed events (405,897).
I dont understand what is the problem here. 😞 is it with stanza that I include under inputs.conf ???
Please help me out guys I am running out of time to complete these.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mehal
have you searched for your indexed data?
index=main sourcetype=data_performance
btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.
cheers,
MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mehal
have you searched for your indexed data?
index=main sourcetype=data_performance
btw: you should be careful with using the crcSalt option, this can end in double indexing data. Only use it if you have for example 'file too small' messages.
cheers,
MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not to indexes.conf but i have added can delete role in admin.. Also my data is of 1987. so timestamp is of 1987 when indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also, have you made any modifications to indexes.conf or user roles?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
for sure it does 😉 run this please:
| rest /services/data/indexes | where totalEventCount > 0 | table title totalEventCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes i tried these way but no luck. It shows 1 event count under indexes page. Splunk does not retain indexes when it is stopped ??
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
