- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need help with data forwarded but not indexed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help with data forwarded but not indexed
I setup a Universal Forwarder forwarding some CSV files to three indexers. I made the mistake of forwarding the data before setting the indexes on the indexers. So now the status is this: The forwarder shows that all data files are forwarded; I see one message like the one below in each indexer's splunkd.log:
02-26-2013 09:47:15.697 -0500 WARN IndexProcessor - received event for unconfigured/disabled index='dcmon' with source='source::/opt/var/log/data-2013-02-21.csv' host='host::fwdr-prod01' sourcetype='sourcetype::dcmon' (1 missing total)
After the indexes are setup, I did a "clean all" on the forwarder. But I still am not able to find any event for this data. The daily CSV file grows every 15 minutes and the forwarder continues to show that new data is forwarded. But the indexes on the indexers are still zero in size.
By the way, other data from the same forwarder can be found on the indexers.
Any pointers are greatly appreciated.
[edit] The indexes ("dcmon") on all three indexers are showing "Enabled" under status.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You will have to clean the fishbucket on the indexer as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did cleaning the fishbucket correct your problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct on the UF. Keep in mind though that _thefishbucket on the indexers will also need to be cleaned. It will retain that it has already seen the data, even if it was not indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the command may not exists on the UF.
You can do the same by stopping splunk on the forwarder, deleting the folder $SPLUNK_HOME/var/lib/splunk/fishbucket, and restart splunk.
PS: every single log file will be re-indexed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It will be the same command you used for cleaning the index, just use _thefishbucket after -index
splunk clean eventdata -index _thefishbucket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey shane, i really dont understand.
can you update your answer with the command of implementing it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi i am following your post let me know what was the solution to your above mentioned question
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
