Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out why Splunk Indexer re-indexed my IIS logs?

Nahra
New Member
‎01-12-2017 09:37 AM

Recently, my Splunk environment decided to re-index ALL of my IIS logs (which crushed my daily license quota). I have been tasked with finding the root cause of why that happened.

Is there anyway to find in the Splunk logs why it decided to re-index all these logs?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 09:51 AM

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎01-12-2017 10:13 AM

A place to start would be to look at timestamps on your fishbucket.. Fishbucket is responsible for keeping pointers of what's been indexed, so this would be a reasonable assumption to check

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 09:51 AM

Search index=_internal host=an_iis_forwarder NOT component="Metrics" for clues around the time of the reindex.

0 Karma
Reply
Solved! Jump to solution

Nahra
New Member
‎01-12-2017 11:04 AM

Looks like a new deployed was created that monitored the IIS log location and the old deployed app was removed.

Would that cause Splunk to re-index? I thought that data was separate from the app.

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎01-12-2017 02:13 PM

Usually not, but it depends on the old and new input configuration.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎01-12-2017 11:23 AM

It would. Once the old app was removed, it will clear Splunk's monitoring list/_fishbucket which tracks the files being monitored (and till what point it has monitored the log file). When the new app was deployed, Splunk will treat that a new data monitoring and will read the file from start and can cause duplicates.

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...