Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot why 1 of 2 files is no longer getting indexed after updating glibc and restarting our heavy forwarders using Splunk 5.0.11?

Sqig
Path Finder
‎02-02-2015 06:22 PM

Hi. This is regarding Splunk 5.0.11 Universal Forwarder and Heavy Forwarder.

We rebooted 2 Heavy Forwarders today (after updating glibc) and now, we are only seeing 1 of the 2 files that each of our Universal Forwarders reads and forwards.

I know the data is not getting to the Indexer (or at least is not getting indexed).

Is there a best practice for determining whether or not data is at least getting TO the heavy forwarder?

I did try adding crcSalt= in the stanza in inputs.conf on the universal forwarder that specifies the data we're missing, just in case something cropped up.

Thanks for any suggestions to help us get started with this one...

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sqig
Path Finder
‎02-13-2015 10:47 AM

I ended up working with Splunk Support on this one. For reasons neither of us can pinpoint, it seems that rebooting the whole server that the Heavy forwarder ran on stopped proper timestamp parsing for the events from that one logfile.

Explicitly specifying the timezone resolved the issue.

View solution in original post

Reply
Solved! Jump to solution
Solution

Sqig
Path Finder
‎02-13-2015 10:47 AM

I ended up working with Splunk Support on this one. For reasons neither of us can pinpoint, it seems that rebooting the whole server that the Heavy forwarder ran on stopped proper timestamp parsing for the events from that one logfile.

Explicitly specifying the timezone resolved the issue.

Reply
Solved! Jump to solution

Sqig
Path Finder
‎02-02-2015 11:05 PM

A little more info: I saw references to my missing sourcetype in the metrics.log on one of the source servers. Also, hitting /services/admin/inputstatus/TailingProcessor%3AFileStatus on a source server showed the files I am looking for as having been read to 100% completion.

And I checked the per_sourcetype_thruput on the indexers, and that seems to show no difference in volume from previous days. However, I absolutely do NOT see any indication in the index itself that the data is present. I even searched index=* just to be sure.

Now I'm really puzzled....

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...