Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Missing events from search for specific hosts running UF

JeremyHagan
Communicator
‎08-30-2016 07:14 PM

I have around 80 identically configured branch office domain controllers. They all get their config from the deployment server which defines a few file monitors and Windows event logs.

The config works on the majority of DC's but on two of them I can't see the WinEventLog:Security events. I can see events from other flat-file sources such as DNS server log files and the Active Directory sourcetype is also returning events.

If I check the license usage of that host, I can see that data from that sourcetype is being logged as used. So I suspect that the UF is sending the data and that the indexer is receiving it, but it is just not showing up in search.

Any ideas?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-30-2016 08:41 PM

Possible timestamp extraction issues resulting in timestamps in the future for the affected hosts and sourcetypes?
It is weird that it would only affect your Security event log.

I would start by checking your _internal index for error messages logged by splunkd in the DateParserVerbose category:

 index=_internal sourcetype=splunkd component=DateParserVerbose host=yourMissingHost

and see if anything shows up with a message text of

A possible timestamp match (dow mon dd HH:MM:SS YYYY) is outside of the acceptable time window.

or similar (assuming you are forwarding splunkd logs from forwarders.

Reply

JeremyHagan
Communicator
‎08-30-2016 11:24 PM

Hi,

Thanks for the reply. I should mention that I've done some "All Time" searches against this host in case the events were showing up in the future with no luck. As you say, being a DC, I'd have other problems with time sync. The server is definitely in a different time zone, but I have two servers at the site and it is only the DC that is not forwarding Windows Event logs and they are both covered by the same entry in the Splunk config for time zone adjustment.

We are forwarding Splunkd logs and I checked for DateParserVerbose errors but nothing came up. In fact the only ERROR present is one about it not being able to locate the PDC emulator, but every DC has that error.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...