Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is there an internal log in Splunk with the number...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhigginsmq
Path Finder
12-13-2016
05:31 AM
Hi.
We have recently been inadvertently sending some events to the null queue, due to a new data source that matches a greedy regex pattern specified in transforms.conf on the indexer. We can correct the regex easily, but as I understand it, the events are lost for good as there is no copy of the raw data anywhere.
My question: is there maybe a log in Splunk that will advise on the number of events sent to the null queue? It would be good to know the fraction of incoming events being discarded, although some of these will be from a legitimate, intended match to the regex in transforms.conf.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
12-13-2016
07:33 AM
index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-13-2016
07:35 AM
Give this a try
index=_internal sourcetype=splunkd source=*metrics.log group=pipeline processor=nullqueue | stats sum(executes) as NullQueueInvocations
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
twinspop
Influencer
12-13-2016
07:33 AM
index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhigginsmq
Path Finder
12-14-2016
02:43 AM
Thanks guys, I used up my '2 posts a day' yesterday so just responding now... I've never really looked at metrics.log before but been reading up on it, looks to be quite useful, cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
12-13-2016
06:07 AM
Are you dropping at "heavy forwarders" or at "indexers" ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jhigginsmq
Path Finder
12-13-2016
06:17 AM
Hi Koshyk, this would be at the indexers.
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
