Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Assistance Needed for Identifying Logs for Connection Issues in Splunk

Rahul_a
Explorer
‎06-12-2024 09:56 AM

I am planning to build a Splunk dashboard for monitoring connection issues from various sources. Specifically, I need to identify when a connection fails or when an application stops sending data to Splunk and display these issues on the dashboard. The data sources include:

  • Application server universal forwarder to our Splunk heavy forwarder
  • HEC (HTTP Event Collector)
  • Various add-ons (e.g., Azure add-on, AWS add-on, DB Connect add-on)

I am aware that many logs can be found under index=_internal, but I need assistance in identifying the necessary logs that pertain to real-time errors or connection failures. Could you please help me with this?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-02-2024 12:46 AM

There are at least two separate issues here.

One is monitoring for data that used to be ingested but is no more, regardless of the reason for it (maybe there is a configuration problem on the receving end, maybe the source simply stopped sending data, maybe something else). There are several apps for that on Splunkbase. For example TrackMe - https://splunkbase.splunk.com/app/4621

Another thing is finding errors coming from your inputs (expired certs, broken connections, non-responding API endpoints and so on). And this is something you'd normally look for in _internal index indeed add those you'll find primarily in splunkd.log but also specific add-ons can create their own log files. So it's a bit more complicated than just a single search to find everything that's wrong.

Reply

Rahul_a
Explorer
‎06-27-2024 03:21 PM

Hello 
I know its already 2 weeks but still waiting for answer can any one help me out

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...