https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685664#M3003 <P>Hi All,</P><P>I am unable to see the logs for the source even after seeing the file is being tailed and read in internal logs. Can you please guide as to what could be wrong here?</P><P>&nbsp;</P><P>I can see in internal logs:<BR /><SPAN class="">INFO</SPAN> <SPAN class="">Metrics</SPAN> <SPAN class="">-</SPAN> <SPAN class="">group=per_source_thruput</SPAN><SPAN>, </SPAN><SPAN class="">series="log_source_path",&nbsp; kbps=0.056<SPAN>, </SPAN>eps=0.193<SPAN>, </SPAN>kb=1.730<SPAN>, </SPAN>ev=6<SPAN>, </SPAN>avg_age=0.000<SPAN>, </SPAN>max_age=0</SPAN></P><P>&nbsp;</P><P><SPAN class="">But I dont see the logs in Splunk, the recent logs are there in file in the host, other sources are also coming into splunk fine.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 26 Apr 2024 17:07:58 GMT abhi04 2024-04-26T17:07:58Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685664#M3003 <P>Hi All,</P><P>I am unable to see the logs for the source even after seeing the file is being tailed and read in internal logs. Can you please guide as to what could be wrong here?</P><P>&nbsp;</P><P>I can see in internal logs:<BR /><SPAN class="">INFO</SPAN> <SPAN class="">Metrics</SPAN> <SPAN class="">-</SPAN> <SPAN class="">group=per_source_thruput</SPAN><SPAN>, </SPAN><SPAN class="">series="log_source_path",&nbsp; kbps=0.056<SPAN>, </SPAN>eps=0.193<SPAN>, </SPAN>kb=1.730<SPAN>, </SPAN>ev=6<SPAN>, </SPAN>avg_age=0.000<SPAN>, </SPAN>max_age=0</SPAN></P><P>&nbsp;</P><P><SPAN class="">But I dont see the logs in Splunk, the recent logs are there in file in the host, other sources are also coming into splunk fine.</SPAN></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 26 Apr 2024 17:07:58 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685664#M3003 abhi04 2024-04-26T17:07:58Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685666#M3004 <P>What search are you using to try to find the data?</P> Fri, 26 Apr 2024 17:29:46 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685666#M3004 richgalloway 2024-04-26T17:29:46Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685684#M3005 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;well it goes to specific index, but I have also tried the below and I dont see the source or the events:</P> <LI-CODE lang="markup">index=* host=abc | stats values(source) index=* source=log_source_path </LI-CODE> Fri, 26 Apr 2024 22:48:15 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685684#M3005 abhi04 2024-04-26T22:48:15Z https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685689#M3006 <P>1. You can look for the source using metadata command</P><PRE>| metadata type=sources</PRE><P>or even</P><PRE>| metadata type=sources index=your_index</PRE><P>Alternatively you can use tstats</P><PRE>| tstats count where index IN (some, subset, of, your, indexes) source="your_source" by index</PRE><P>2. The data may not be findable due to a host of possible issues:</P><P>a) The data is indexed outside of your search timerange due to either data itself or wrong timestamp recognition</P><P>b) The configuration can be filtering/redirecting events to another index</P><P>c) The data may be being sent to a non-existent index and you don't have last-resort index defined</P><P>d) The source might be overwritten on ingestion.</P> Fri, 26 Apr 2024 21:45:11 GMT https://community.splunk.com/t5/Splunk-Cloud-Platform/Logs-not-ingested/m-p/685689#M3006 PickleRick 2024-04-26T21:45:11Z