Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk skipping some messages to read from file

ankithreddy777
Contributor
‎10-19-2017 05:08 AM

I have a log files updated in realtime. From past two years these files are ingested to splunk without issues. Suddenly I found a weird issue, where splunk skipping some messages in a file to ingest here and there . I found around 10 percent of the messages are skipped.

I am not sure where is the root cause. I can understant if it skips complete file, but its skipping messages here and there in a single file. Its happening for all files ingested from that source. No configs are changed.

I cannot search for any field value in the missing message in splunk.

Should I begin troubleshooting for problems on indexer side or forwarder side.

May I know what might cause such type of issue.

0 Karma
Reply

ankithreddy777
Contributor
‎10-19-2017 06:00 AM

Hi kamlesh ,
Thank you for your reply.
I checked disk space and errors in splunkd.
There are no errors.
I have observed that while searching for data, I can only get data from 17 indexers instead of 20 indexers. Search for current index does not show any results from remaining three indexers exactly from the date we observed data is missing.
But these three indexers are up and healthy and show results for other indexes.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-19-2017 05:49 AM

Hi Ankithreddy777,

There might be any possibilities for this issue. But I think it should be below:

  • if you have recently started forwarding new events in the different index then check the existence of the index and check splunkd.log of the indexer.
  • It might be disk space or disk related issue.

you can troubleshoot the problem by following below link.

https://wiki.splunk.com/Community:TroubleshootingIndexing

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...