1) If splunk can't read a date in certain instances, What troubleshooting I should do?
2) If I've onboarded application logs into splunk and the agent is running, But when I query, I don't get any result. What can be the causes and how to identify?
What do you mean "Certain instances"?
Splunk has a number of pre-defined sourcetypes (like JSON, CSV, syslog, etc) that automatically will do things like event parsing and timestamp recognition. If that is not happening with certain instances of your logs, you may have to tell Splunk how to assign the timestamp to your logs in the
I would start by using
$SPLUNK_HOME/bin/splunk btool and looking at your inputs to make sure thinks like the inputs hostname is correct, the index name is correct. You'd also want to use btool to ensure your outputs are correct. Then you could start looking into the Splunkd.log (
$SPLUNK_HOME/var/log/splunk/splunkd.log ) for any errors that may be occurring. (like, are you getting any errors when trying to connect to your indexer? If all of that checks out and you are seeing monitoring of your logs on the forwarder, then you would want to check your indexer for things like ensuring the index exists and if the role has permissions to search it.
Here is some good resources for timestamping and linebreaking:
This is just to get you started, though. There are a TON of resources out there.
Thanks for the reply. Sorry I meant data. If I don't see data coming into the splunk or If I miss data. Then what all the troubleshooting I should do?
Also, What Troubleshooting is required for the performance issues?
The Splunk Monitoring Console is excellent for troubleshooting performance issues:
Here is also some documentation around indexing performance troubleshooting:
If you are having issues with data missing, or not being read by Splunk, check things like file and directory permissions for the User running Splunk and reference this documentation: