Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Troubleshoot the input process

Not finding the events you're looking for?

When you add an input to Splunk Enterprise, that input gets added relative to the app you are in. Some apps, like the *nix and Windows apps, write input data to a specific index (in the case of *nix and Windows, that is the 'os' index). If you are not finding data that you are certain is in Splunk Enterprise, be sure that you are looking at the right index. You might want to add the 'os' index to the list of default indexes for the role you are using. For more information about roles, refer to the topic about roles in the Securing Splunk Enterprise manual. For more information about troubleshooting data input issues, read the rest of this topic or see "I can't find my data!" in the Troubleshooting Manual.

Note: When you add inputs by editing inputs.conf, Splunk Enterprise might not immediately recognize them. Splunk Enterprise looks for inputs every 24 hours, starting from the time it was last restarted. This means that if you add a new stanza to monitor a directory or file, it could take up to 24 hours for Splunk Enterprise to start indexing the contents of that directory or file. To ensure that your input is immediately recognized and indexed, add the input through Splunk Web or by using the add command in the CLI.

Troubleshoot your tailed files

You can use the FileStatus Representational State Transfer (REST) endpoint to get the status of your tailed files. For example:

curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

You can also monitor the fishbucket.

The fishbucket is a subdirectory within the Splunk platform directory that keeps a record about each file input. The fishbucket keeps track of how far into a file the Splunk platform has read, so that if you stop and restart splunkd, it knows where in each file input to resume reading. The fishbucket is at $SPLUNK_DB/fishbucket/splunk_private_db.

To monitor the fishbucket, use the REST endpoint. Review the REST API Reference for additional information.

Troubleshoot monitor inputs

For a variety of information on dealing with monitor input issues, read "Troubleshooting Monitor Inputs" in the Community Wiki.

Can't find data coming from a forwarder?

Make sure the forwarder is functioning properly and is visible to the indexer. You can use the Deployment Monitor app to troubleshoot Splunk topologies and get to the root of any forwarder issues. Read the Deploy and Use Splunk Deployment Monitor App manual for details.

Last modified on 25 July, 2016
Use persistent queues to help prevent data loss

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters