Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to detect Splunk log ingestion failure?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to detect Splunk log ingestion failure?
I'm working with Splunk setup to copy and index disk logs from remote servers using scheduled rsync transfer.
The rsync transfer job has a bandwidth limit specified to avoid overloading the remote servers and the Splunk server.
During a recent incident, this rsync bandwidth limit was reached because logs grew too quickly (about 5 GB/hour for about a day). During this time, logs were not transferred for indexing.
This is as designed, but Splunk reports nothing for that timeframe, nor gives an indication that data is missing.
Our Splunk admin says the rsync transfer failures cannot be reported. Is there a way to use Splunk to detect when logs were not indexed as expected?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could turn on the Splunk Deployment Monitor app (it comes with Splunk).
It has some dashboards that show which forwarders are forwarding LESS than usual. You can also set alerts from within the Deployment Monitor.
This is why I don't like using rsync unless it is absolutely necessary. You end up having to manually deal with the corner cases when rsync doesn't work. Using a Splunk forwarder is a lot less hassle.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks - that sounds sensible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would just set up an alert that emails you once a certain number of events falls below your given threshold.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that would work but may cause a few false positives; for example, when a server was down for maintenance.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
