I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!
I restart splunk and indexing resumes...
I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!
Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"
Thanks
The root cause was multiline support.
1) I added the following to my props.conf file:
[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>
2) created a new data source with this source type.
All good now.
The root cause was multiline support.
1) I added the following to my props.conf file:
[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>
2) created a new data source with this source type.
All good now.
Accept your own answer. Good to know you found the solution.
Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:
_index_earliest
parameters, for instance "_index_earliest=-15m
"Great tip,
looking at the splunkd log.... full of " Failed to parse timestamp."
search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"
08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|
I'll have to check to source and see the format of syslog event. NTP clock is OK....
Thanks