Knowledge Management

My data isn't being indexed.

Caio_Santos
Path Finder

I don't have a clue anymore. My data hasn't been indexed anymore. I attempted all the three ways of Files & Directories but couldn't figure out why.

Here's my steps:

1- Place the file to be indexed on the splunk instance.

2- Enter with the path on the F&D (monitor a file or a directory)

3- Selected the default as my index

And that's it. Even though my indexed data is not showing up

Does anybody have a clue what is missing ?

I have checked the Index out on the Splunk Web and the main index still 0 MB. In other words, it hasnt been indexed.

Tags (2)

genti1
Engager

What are the properties of this file? Are you sure that it is accessible / readable by splunk? Check its permissions. Have you tried inputing other files? Do you get any data in? what happens if you run a search for index=_internal do you see any data coming in at all?

Caio_Santos
Path Finder

It's an Event Viewer file. its readable by splunk, since the server has at the same directory structure some indexed files. the _internal index would be my second question. I went there to check my internal index out, but its gone. I'm running splunk on test environment, so I cleaned all the index data more than one. I guess during this test the internal index has stopped indexing.

0 Karma

Simeon
Splunk Employee
Splunk Employee

There are numerous ways to troubleshoot this, with the following being my suggestions:

  1. Make sure you are not indexing duplicate data/files, where the first 256 bytes might be similar. If this is happening, then you should investigate how to index duplicate files.
  2. Run a search that specifies your exact file, all indexes, and all time. NOT using the exact file, all indexes, and all time are the most common mistake. For example, the search should resemble (select the TimeRange over All-Time):

    index=* source=/path/to/your/file*

Caio_Santos
Path Finder

I already did this. even if I was indexing same files the first of them should appear here. I tryed looking for all indexes and the source, a string inside the file, but without success

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...