Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to detect Splunk log ingestion failure?

sonam
Explorer
‎08-31-2011 07:06 PM

I'm working with Splunk setup to copy and index disk logs from remote servers using scheduled rsync transfer.

The rsync transfer job has a bandwidth limit specified to avoid overloading the remote servers and the Splunk server.

During a recent incident, this rsync bandwidth limit was reached because logs grew too quickly (about 5 GB/hour for about a day). During this time, logs were not transferred for indexing.

This is as designed, but Splunk reports nothing for that timeframe, nor gives an indication that data is missing.

Our Splunk admin says the rsync transfer failures cannot be reported. Is there a way to use Splunk to detect when logs were not indexed as expected?

0 Karma
Reply

lguinn2
Legend
‎09-03-2011 10:15 AM

You could turn on the Splunk Deployment Monitor app (it comes with Splunk).

It has some dashboards that show which forwarders are forwarding LESS than usual. You can also set alerts from within the Deployment Monitor.

This is why I don't like using rsync unless it is absolutely necessary. You end up having to manually deal with the corner cases when rsync doesn't work. Using a Splunk forwarder is a lot less hassle.

0 Karma
Reply

sonam
Explorer
‎09-14-2011 10:47 PM

Thanks - that sounds sensible.

0 Karma
Reply

RicoSuave
Builder
‎08-31-2011 07:59 PM

I would just set up an alert that emails you once a certain number of events falls below your given threshold.

Reply

sonam
Explorer
‎09-14-2011 10:49 PM

Yes, that would work but may cause a few false positives; for example, when a server was down for maintenance.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...