Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Assistance Needed for Identifying Logs for Connection Issues in Splunk

Rahul_a
Explorer
‎06-12-2024 09:56 AM

I am planning to build a Splunk dashboard for monitoring connection issues from various sources. Specifically, I need to identify when a connection fails or when an application stops sending data to Splunk and display these issues on the dashboard. The data sources include:

  • Application server universal forwarder to our Splunk heavy forwarder
  • HEC (HTTP Event Collector)
  • Various add-ons (e.g., Azure add-on, AWS add-on, DB Connect add-on)

I am aware that many logs can be found under index=_internal, but I need assistance in identifying the necessary logs that pertain to real-time errors or connection failures. Could you please help me with this?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-02-2024 12:46 AM

There are at least two separate issues here.

One is monitoring for data that used to be ingested but is no more, regardless of the reason for it (maybe there is a configuration problem on the receving end, maybe the source simply stopped sending data, maybe something else). There are several apps for that on Splunkbase. For example TrackMe - https://splunkbase.splunk.com/app/4621

Another thing is finding errors coming from your inputs (expired certs, broken connections, non-responding API endpoints and so on). And this is something you'd normally look for in _internal index indeed add those you'll find primarily in splunkd.log but also specific add-ons can create their own log files. So it's a bit more complicated than just a single search to find everything that's wrong.

Reply

Rahul_a
Explorer
‎06-27-2024 03:21 PM

Hello 
I know its already 2 weeks but still waiting for answer can any one help me out

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...