topic Re: Will" _internal" index records the error that occur during integration in Splunk Enterprise

When an error occurs during integration process, will that be recorded by "_internal" index?

restinlinux — Tue, 20 Sep 2022 18:08:22 GMT

Hey Splunkers !

When an error occur during integration process, will that be recorded by "_internal" index??

Will data on-boarding / data parsing errors recorded by the _internal index....?

if so , logical SPL query to trouble shoot those errors would be welcome

what kind of integration errors will be recorded in _internal index ?

Re: Will" _internal" index records the error that occur during integration

richgalloway — Tue, 20 Sep 2022 16:40:31 GMT

It depends on the type of integration and how it is done, but, yes, there often is something in _internal when a problem occurs during data onboarding.

Some common error messages pertain to timestamp parsing, line breaking, scripted input failure, and much more.

The exact SPL query will depend on what you seek, but start with index=_internal error and go from there.

Re: Will" _internal" index records the error that occur during integration

restinlinux — Tue, 20 Sep 2022 18:01:11 GMT

Thanks ! @richgalloway

Does it collects network relative issues from the endpoints ..

And will errors that occur during forwarding data will be recorded on _internal index

The query is really a basic which bring up all the error events in the _internal index...

Looking and working on some nice SQL like to calculate all the errors based on its type (parsing , Time Stamp,etc..) during the integration

And by analyzing the _internal index , there's a field named component with lot values which seems to be interesting .. if possible can you brief this field values.....

-----------

RestinLinux

Re: Will" _internal" index records the error that occur during integration

richgalloway — Tue, 20 Sep 2022 18:59:41 GMT

No, the _internal index does not collect data from endpoints (except for UFs). It logs Splunk's own event messages, including those from search heads, indexers, and forwarders.

Yes, the query I provided was very basic - as was the question it answered. For more specific help, ask a more specific question. Experiment with it until you end up with a query (or several) that suits your use case(s).

Components are useful to filter on. There are many, perhaps hundreds, of components, so I can't document them here (not sure they're documented anywhere), but some of the more useful ones for finding onboarding issues are: LineBreakingProcessor, Metrics (shows throughput, among other things), HttpListener (if using HEC), TailReader (tells about monitored files), TcpInputProc (connections from other Splunk instances), DateParserVerbose (timestamp parsing errors), Aggregator* (line merging issues).

Re: Will" _internal" index records the error that occur during integration

isoutamo — Wed, 21 Sep 2022 08:57:39 GMT

The easiest way to look those which @richgalloway pointed out is MC. Just open it and look Indexing -> Inputs -> Data Quality. Then select suitable Time Range and other offered filters and you will get list off issues. You could drill down with those values to look more detailed level of those issues.