Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data not showing up in search

sourabhguha
Explorer
‎04-05-2013 07:20 AM

Hi,

I have an existing sourcetype for which I had some data earlier by pointing to a file. The events in the file show up in the search. Now I added another file and used the same sourcetype for it. However, the events from the new file do not show up in the search. i believe they are not getting indexed.

Please let me know what additional information or logs i can provide to help investigate this issue.

Thanks,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BobM
Builder
‎04-05-2013 07:44 AM

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ihuzaifazahoor
New Member
‎02-03-2020 04:17 AM

Try to change preset value to All Time,Try to change your preset to All Time

0 Karma
Reply
Solved! Jump to solution
Solution

BobM
Builder
‎04-05-2013 07:44 AM

There are a few possibilities for this.

1) If a file is identical or at least the first 1k and last 1k are identical, splunk assumes it is the same file and does not re-index it.

2) If a file is random enough, splunk may think it is binary and not index it.

3) If a file is tabular but with different columns to a previous file, splunk indexes it but adds a number to the sourcetype to indicate it is a different type. e.g. IIS becomes IIS-2 etc.

4) If monitor overlaps another input it may not be indexed.

If you can identify one of these, we can work out a resolution.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...