Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

jyppy
Explorer
‎08-21-2014 03:46 PM

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!

I restart splunk and indexing resumes...

I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!

Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

View solution in original post

Reply
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-25-2014 06:27 AM

Accept your own answer. Good to know you found the solution.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-22-2014 12:38 AM

Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:

  • Check if events are actually coming in but for some reason getting a wrong timestamp, by doing a realtime search for your host. Or run a search for your host and use the _index_earliest parameters, for instance "_index_earliest=-15m"
  • Check splunkd.log for errors related to these events.
Reply
Solved! Jump to solution

jyppy
Explorer
‎08-22-2014 06:31 PM

Great tip,

looking at the splunkd log.... full of " Failed to parse timestamp."

search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"

08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|

I'll have to check to source and see the format of syslog event. NTP clock is OK....

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...