https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470085#M80839 <P>Since this is a small file, can you use <STRONG>monitor</STRONG> instead of <STRONG>batch</STRONG> and check?</P> Tue, 11 Feb 2020 05:11:38 GMT manjunathmeti 2020-02-11T05:11:38Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470082#M80836 <P>I have one missing event out of 168 events from our Universal Forwarder. I've already checked the internal logs and the file has been indexed "Batch input finished reading file=", but I cannot find this source on my index. I also tried to expand time range and nothing appears, then check if the forwarder was restarted on the time of file was index, but it is not. </P> <P>Settings on my forwarder is:</P> <P><STRONG>inputs.conf</STRONG><BR /> [batch://my_path]<BR /> move_policy = sinkhole<BR /> disabled = false<BR /> sourcetype = my_sourcetype<BR /> index = my_index</P> <P><STRONG>outputs.conf</STRONG><BR /> [tcpout]<BR /> defaultGroup = default-autolb-group-forwarder</P> <P>[tcpout:default-autolb-group-forwarder]<BR /> disabled = false<BR /> server = myIndexer:9997<BR /> useACK = true</P> Wed, 30 Sep 2020 04:09:43 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470082#M80836 iancorrea 2020-09-30T04:09:43Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470083#M80837 <P>Is there any extraction or parsing done on sourcetype 'my_sourcetype'?</P> Tue, 11 Feb 2020 04:50:51 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470083#M80837 manjunathmeti 2020-02-11T04:50:51Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470084#M80838 <P>yes, the other 167 events was successfully parsed</P> Tue, 11 Feb 2020 04:52:41 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470084#M80838 iancorrea 2020-02-11T04:52:41Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470085#M80839 <P>Since this is a small file, can you use <STRONG>monitor</STRONG> instead of <STRONG>batch</STRONG> and check?</P> Tue, 11 Feb 2020 05:11:38 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470085#M80839 manjunathmeti 2020-02-11T05:11:38Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470086#M80840 <P>I have been using batch since 1 month ago and there is no problem until this day. I cannot use the monitor because my client wants to use batch.</P> Tue, 11 Feb 2020 08:12:22 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470086#M80840 iancorrea 2020-02-11T08:12:22Z https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470087#M80841 <P>Is this one event missing from a single log file?<BR /> (ie the log contains 168 events, and only 167 have been indexed)<BR /> Or is this one event from a batch of multiple files?</P> <P>The reason I ask is that it could be that the missing event did not break properly and was either merged, or dropped.</P> <P>If you still have the source log file, are you able to identify which event is missing, and does it appear "well formed" in the context of the other events?</P> Tue, 11 Feb 2020 11:33:27 GMT https://community.splunk.com/t5/Getting-Data-In/Missing-events-from-Splunk-Universal-Forwarder/m-p/470087#M80841 nickhills 2020-02-11T11:33:27Z