On my development splunk v6.2.6 I developed a new custom app called auditing with one index which is deployed successfully alongside an existing app called logging with one index.
But when I deploy my new auditing app to my testing splunk v6.2.6, after a while both apps' indexes stop indexing. If I remove the new auditing app from splunk, the old logging index resumes logging events from the point it left off and works as expected. Moving the auditing app back into splunk stops the indexing for both again.
I've gone thru splunk answers to eliminate issues like missing source files, inputs.conf stanzas, etc but so far no luck I also started splunk with --debug but cannot tell in splunkd.log what is breaking the indexing.
Is there any other settings or specific debug msgs I should look for?
Thanks
↧