Getting Data In

How did logs from a heavy forwarder get indexed when Splunk was not running?

Madhan45
Path Finder

Splunk was running on a heavy forwarder during the time period 00:00 to 00:20. Related logs also have been found in splunkd.log & splunkd_stderr.log.
I got few logs from the HF at 23:00. How is it possible?
If Splunk is not running, how did these logs get indexed?

0 Karma

jmallorquin
Builder

Hi,

If the logs has timestamp, splunk index in the timestamp of the log. So if the log was create at 23:00, its normal that you have events in that time. Also review the timezone in which you are index the events.

Hope i help you.

0 Karma

Madhan45
Path Finder

The event generated time and index time both are same. there was no lagging in event. splunk was running only for the time period 00:00 00:20 after thet till now i didn't start splunk. then how did those logs get index?

0 Karma

jmallorquin
Builder

Open the events of the log and check if are there events from 23:00

Hope i help you

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...