Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

jyppy
Explorer
‎08-21-2014 03:46 PM

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!

I restart splunk and indexing resumes...

I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!

Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

View solution in original post

Reply
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-25-2014 06:27 AM

Accept your own answer. Good to know you found the solution.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-22-2014 12:38 AM

Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:

  • Check if events are actually coming in but for some reason getting a wrong timestamp, by doing a realtime search for your host. Or run a search for your host and use the _index_earliest parameters, for instance "_index_earliest=-15m"
  • Check splunkd.log for errors related to these events.
Reply
Solved! Jump to solution

jyppy
Explorer
‎08-22-2014 06:31 PM

Great tip,

looking at the splunkd log.... full of " Failed to parse timestamp."

search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"

08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|

I'll have to check to source and see the format of syslog event. NTP clock is OK....

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...