Indexing issue- Why is data going on and off?

ssuluguri · ‎07-11-2023

Hi Team,

We are ingesting data from syslot to splunk using Cyberark App . Data is going ON and OFF even though data available on /var/log/Cyberark .

Can you suggest what can be the issue .

mansisona · ‎03-19-2024

I am facing the same issue while using a scripted input. Did you find any ways to identify the root cause and fix it ? We are receiving data from a scripted input. we also tried putting that data in a csv file which has all the data. but still we are observing issues with data missing

meetmshah · ‎07-12-2023

Hello @ssuluguri, Can you please confirm below -

How the _time is being extracted? If it's based on events - can you validate if the timestamp extraction is performed correctly?
Can you check queues on the indexers?
Can you run the search on real-time in Splunk along with running tcpdump on the host and validate if both are matching?

ssuluguri · ‎07-12-2023

You can also refer below screenshot.

ssuluguri · ‎07-12-2023

Thanks for the reply Meet.

1.Data is indexing on cloud

2.Data automatically populating for sometimes and going OFF.

Backend raw data .

Indexing issue- Why is data going on and off?

indexer

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk