Solved: Re: Splunk 4.1.6 - skipped indexing of internal au...

inquen · ‎07-07-2011

How would I resolve an issue like this? There appears to be ample disk space on the server hosting the Splunk installation.

jbsplunk · ‎07-07-2011

It probably means something is going on with the queues sending data through Splunk. I would check metrics.log for messages that show 'blocked=true'. Disk space could be part of the reason you'd run into this issue, but its sort of a generic 'things aren't healthy' message.

View solution in original post

k_harini · ‎05-25-2017

How was this resolved? Please help

rachelneal · ‎01-19-2012

I am having the exact same problem and have ample disk space as well. I do find a lot of "blocked=true" in the metrics log but not sure how to remedy. what ended up working?

chicodeme · ‎10-20-2011

What did it end up being?

jbsplunk · ‎07-07-2011

It probably means something is going on with the queues sending data through Splunk. I would check metrics.log for messages that show 'blocked=true'. Disk space could be part of the reason you'd run into this issue, but its sort of a generic 'things aren't healthy' message.

Splunk 4.1.6 - skipped indexing of internal audit event will keep dropping events until indexer congestion is remedied. Check disk space and other issues that may cause indexer to block

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases