https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214666#M42226 <P>Hi,</P> <P>I've a universal forwarder on a Linux machine that forwards Security Onion logs to my Splunk instance.</P> <P>Logs are coming to network interface via port 9998 (checked tcpdump), When I try to search with;</P> <PRE><CODE>index=_internal metrics kb group=per_sourcetype_thruput | eval sizeMB = round(kb/1024,2)| stats sum(sizeMB) by series | sort -sum(sizeMB) | rename sum(sizeMB) AS "Size on Disk (MB)" </CODE></PRE> <P>It shows source names etc. and logs are coming to my instance but when I try to see the logs, I can't find the logs. They're being saved somewhere but I can't figure out the search to see them.</P> <P>How can i do this?</P> <P>Regards,</P> Tue, 08 Nov 2016 13:06:28 GMT ozirus 2016-11-08T13:06:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214666#M42226 <P>Hi,</P> <P>I've a universal forwarder on a Linux machine that forwards Security Onion logs to my Splunk instance.</P> <P>Logs are coming to network interface via port 9998 (checked tcpdump), When I try to search with;</P> <PRE><CODE>index=_internal metrics kb group=per_sourcetype_thruput | eval sizeMB = round(kb/1024,2)| stats sum(sizeMB) by series | sort -sum(sizeMB) | rename sum(sizeMB) AS "Size on Disk (MB)" </CODE></PRE> <P>It shows source names etc. and logs are coming to my instance but when I try to see the logs, I can't find the logs. They're being saved somewhere but I can't figure out the search to see them.</P> <P>How can i do this?</P> <P>Regards,</P> Tue, 08 Nov 2016 13:06:28 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214666#M42226 ozirus 2016-11-08T13:06:28Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214667#M42227 <P>You could have a timestamp problem. Try searching All Time to see if Splunk is logging the events in the future.</P> Tue, 08 Nov 2016 13:19:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214667#M42227 richgalloway 2016-11-08T13:19:11Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214668#M42228 <P>Thanks! It was.</P> Tue, 08 Nov 2016 13:41:46 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214668#M42228 ozirus 2016-11-08T13:41:46Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214669#M42229 <P>Please accept the answer.</P> Tue, 08 Nov 2016 15:33:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214669#M42229 richgalloway 2016-11-08T15:33:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214670#M42230 <P>It wasn't available yesterday. Now it is accepted i guess. Thanks again!</P> Wed, 09 Nov 2016 10:37:02 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-find-lost-logs-from-universal-forwarder/m-p/214670#M42230 ozirus 2016-11-09T10:37:02Z