Getting Data In

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

jyppy
Explorer

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!

I restart splunk and indexing resumes...

I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!

Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"

Thanks

1 Solution

jyppy
Explorer

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

View solution in original post

jyppy
Explorer

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

grijhwani
Motivator

Accept your own answer. Good to know you found the solution.

0 Karma

Ayn
Legend

Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:

  • Check if events are actually coming in but for some reason getting a wrong timestamp, by doing a realtime search for your host. Or run a search for your host and use the _index_earliest parameters, for instance "_index_earliest=-15m"
  • Check splunkd.log for errors related to these events.

jyppy
Explorer

Great tip,

looking at the splunkd log.... full of " Failed to parse timestamp."

search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"

08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|

I'll have to check to source and see the format of syslog event. NTP clock is OK....

Thanks

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...