Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Not able to find sourcetype

Praz_123
Communicator
‎10-16-2023 02:26 AM

Will i am seeing the events data is showing but there is sourcetype is missing for last 24 hours.

What could be the reason , how to check .

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2023 11:36 PM

Hi @Praz_123,

how do you read the logs? are they in a file?

if yes, check if in the file there are logs in the missing periods.

if not, the issue is outside Splunk.

If yes, your should check if they were writtend moment by moment or after a delay.

For this reason I hint to create an alert depending on the update frequency of your data (e.g. every 15 minutes).

So you can immediately check if the issue is in Splunk or outside it.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2023 03:42 AM

Hi @Praz_123,

if one sourcetype was present and noy it's missing, there could be two reasons:

  • you modified the inputs.conf assigning the sourcetype to a data flow,
  • the data flow stopped.

You can check the first choice viewing if someone modified the inputs.conf that should ingest data.

For the second choice you should analyze, if you're still receiving data and when the data stopped:

index=your_index sourcetype=your_sourcetype
| head 10

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Praz_123
Communicator
‎10-16-2023 03:46 AM

@gcusello 
Thanks for your reply , but the data is visible like in 7 days it will be like 6 days visible 1 day missing or 5 days visible 2 days missing vice-versa .

what could be solution for that 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2023 03:53 AM

Hi @Praz_123,

you should create an alert when data flow stopped and immediately see if there something that blocked it.

then, if the data flow arrives from text files, you could see if in the files there are data in the missing periods.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Praz_123
Communicator
‎10-16-2023 07:11 AM

@gcusello 

No Recent Logs Found for Source: abc:conf
No Splunk ingestion for Glo_Pa Alxt Ingestion found in the last 24 hours for:
Index: glo_pa_logs
SourceType: abc:conf

 

How to find in SSH or in UI

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2023 09:02 AM

Hi @Praz_123,

let me understand:

if you run this search:

index=glo_pa_logs sourceType=abc:conf

 in the last 24 hours, have you results?

have you results in the last 7 days?

running this search:

index=glo_pa_logs sourceType=abc:conf 
| timechart span=1h count

what are the results?

Ciao.

Giuseppe 

0 Karma
Reply
Solved! Jump to solution

Praz_123
Communicator
‎10-16-2023 09:57 AM

@gcusello 

Have a look in the ss able to see the data for last few days but not for last 3 days ,how to check that what is happen to the data for last 3 days .

Praz_123_2-1697475399343.png

 

Praz_123_1-1697475178019.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-16-2023 11:36 PM

Hi @Praz_123,

how do you read the logs? are they in a file?

if yes, check if in the file there are logs in the missing periods.

if not, the issue is outside Splunk.

If yes, your should check if they were writtend moment by moment or after a delay.

For this reason I hint to create an alert depending on the update frequency of your data (e.g. every 15 minutes).

So you can immediately check if the issue is in Splunk or outside it.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Praz_123
Communicator
‎10-17-2023 06:37 AM

@gcusello 

Thanks for support 🙂

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2023 06:39 AM

Hi @Praz_123 ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...