Solved: Re: Not able to find sourcetype

Praz_123 · ‎10-16-2023

Will i am seeing the events data is showing but there is sourcetype is missing for last 24 hours.

What could be the reason , how to check .

gcusello · ‎10-16-2023

Hi @Praz_123,

how do you read the logs? are they in a file?

if yes, check if in the file there are logs in the missing periods.

if not, the issue is outside Splunk.

If yes, your should check if they were writtend moment by moment or after a delay.

For this reason I hint to create an alert depending on the update frequency of your data (e.g. every 15 minutes).

So you can immediately check if the issue is in Splunk or outside it.

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-16-2023

Hi @Praz_123,

if one sourcetype was present and noy it's missing, there could be two reasons:

you modified the inputs.conf assigning the sourcetype to a data flow,
the data flow stopped.

You can check the first choice viewing if someone modified the inputs.conf that should ingest data.

For the second choice you should analyze, if you're still receiving data and when the data stopped:

index=your_index sourcetype=your_sourcetype
| head 10

Ciao.

Giuseppe

Praz_123 · ‎10-16-2023

@gcusello
Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa .

what could be solution for that

gcusello · ‎10-16-2023

Hi @Praz_123,

you should create an alert when data flow stopped and immediately see if there something that blocked it.

then, if the data flow arrives from text files, you could see if in the files there are data in the missing periods.

Ciao.

Giuseppe

Praz_123 · ‎10-16-2023

@gcusello

No Recent Logs Found for Source: abc:conf
No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for:
Index: glo_pa_logs
SourceType: abc:conf

How to find in SSH or in UI

gcusello · ‎10-16-2023

Hi @Praz_123,

let me understand:

if you run this search:

index=glo_pa_logs sourceType=abc:conf

in the last 24 hours, have you results?

have you results in the last 7 days?

running this search:

index=glo_pa_logs sourceType=abc:conf 
| timechart span=1h count

what are the results?

Ciao.

Giuseppe

Praz_123 · ‎10-16-2023

@gcusello

Have a look in the ss able to see the data for last few days but not for last 3 days ,how to check that what is happen to the data for last 3 days .

gcusello · ‎10-16-2023

Hi @Praz_123,

how do you read the logs? are they in a file?

if yes, check if in the file there are logs in the missing periods.

if not, the issue is outside Splunk.

If yes, your should check if they were writtend moment by moment or after a delay.

For this reason I hint to create an alert depending on the update frequency of your data (e.g. every 15 minutes).

So you can immediately check if the issue is in Splunk or outside it.

Ciao.

Giuseppe

Praz_123 · ‎10-17-2023

@gcusello

Thanks for support 🙂

gcusello · ‎10-17-2023

Hi @Praz_123 ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Not able to find sourcetype

other

panel

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?