Hi,
I have an issue where Splunk is not picking up the first few lines (3-5 line) of log files when doing a search. There is no customization done via the props and transforms.
I have also checked and didn't find any messages in $SPLUNK_HOME/var/log/splunk/splunkd.log on the forwarder that pointed to any issue of these lines being skipped.
Any suggestions?
Regards,
AKN.
Hi @aknsun
I can't see anything obviously wrong with your log that would cause events to go missing.
The following things could be happening:
index ="whatever" source="path of the log file" earliest=0 latest=+10d
/opt/splunk/bin/splunk btool props list <sourcetype> --debug
Hope this helps.
Hi @chrisyoungerjds
Regards,
AKN
Hi aknsun, Are you able to share an example of the log file lines that are not displaying along with the search you are running?
Search
Index = "index name" source = "path of the log file"
Search only returns the 3rd line in this case. The first 2 lines are not returned.
Log details (Masked here)
2019-01-23 04:18:04,537 INFO [pool-1-thread-1] Create ******** success.
2019-01-23 11:03:01,994 INFO [pool-1-thread-2] Create ******** success.
2019-01-23 11:37:14,436 INFO [pool-1-thread-3] Create ******** success.