I don't have a clue anymore. My data hasn't been indexed anymore. I attempted all the three ways of Files & Directories but couldn't figure out why.
Here's my steps:
1- Place the file to be indexed on the splunk instance.
2- Enter with the path on the F&D (monitor a file or a directory)
3- Selected the default as my index
And that's it. Even though my indexed data is not showing up
Does anybody have a clue what is missing ?
I have checked the Index out on the Splunk Web and the main
index still 0 MB. In other words, it hasnt been indexed.
What are the properties of this file? Are you sure that it is accessible / readable by splunk? Check its permissions. Have you tried inputing other files? Do you get any data in? what happens if you run a search for index=_internal do you see any data coming in at all?
It's an Event Viewer file. its readable by splunk, since the server has at the same directory structure some indexed files. the _internal index would be my second question. I went there to check my internal index out, but its gone. I'm running splunk on test environment, so I cleaned all the index data more than one. I guess during this test the internal index has stopped indexing.
There are numerous ways to troubleshoot this, with the following being my suggestions:
Run a search that specifies your exact file, all indexes, and all time. NOT using the exact file, all indexes, and all time are the most common mistake. For example, the search should resemble (select the TimeRange over All-Time):
index=* source=/path/to/your/file*
I already did this. even if I was indexing same files the first of them should appear here. I tryed looking for all indexes and the source, a string inside the file, but without success