Hi Team,
I've come across an odd problem, and I'm not sure where to start in troubleshooting.
Once a week, on a Sunday, we ingest a csv file that contains all of our assets (splunk_devices.csv). Recently, we have noticed that there are assets in the asset list that are not present in our asset index.
Last week, for example, our static file contained 28k assets and the data ingested by Splunk only had 24k. I reviewed the list myself and can confirm that the assets were missing from Splunk. I ingested the file into my personal development environment with dev license and had no issues at all - All 28k assets were present and accounted for.
I've found no error messages in Splunk, or any other indicators to start troubleshooting with.
Does anyone have any ideas what we could check? We're using Splunk Cloud, so have no access to indexers or search heads, but can access our forwarder infrastructure.
What is the exact procedure you are using to ingest the CSV?
Hi Rich,
We have a UF deployed on the asset that generates the list. The list is updated on a daily basis, but only ingested by Splunk on a Sunday morning, around 2am.
What you describe does not sound like typical Splunk processing. Universal forwarders ship data as it is received - they cannot update a list each day and send it to Splunk once a week.
Please provide a detailed explanation of how you get the asset list into Splunk. Without that, we can only speculate about the problem. Include the UF's inputs.conf settings for the CSV and the indexer's props.conf settings for the CSV's sourcetype.