Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing events from several indexes / sourcetypes

ride76
Explorer
‎04-16-2012 03:38 PM

I am not sure if anyone else has seen this issue, but at least 3 times lately I have done a broad search on an IP, in our Splunk instance of 4.3.1, and have gotten at least 3 sourcetypes - this particular one being our Cisco ASA, DHCP, and web filter. However, when re-running the search 4 or 5 or 6 hours later the Cisco ASA sourcetype no longer shows up in the results.

Is anyone aware of this specific issue? Or where can I start to troubleshoot this? Within the SOS app, the Cisco ASA index is showing its receiving events and is current. And I can do a search on the Cisco ASA sourcetype.

Our Splunk instance is made up of 4 servers: a search head and 3 indexers. Would it make sense to login to the indexer receiver the Cisco events and check there?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-17-2012 11:43 PM

Well, you could have some problems with your peers not returning results, if you by 'same timeframe' mean something like 'April 4th, 1AM-3PM' and not 'last 24 hours'.

When the events DO NOT turn up, do you get search results from all indexers? This can be seen in the splunk_server field, which is automatically extracted. Check the field picker on the left.

/k

0 Karma
Reply

ride76
Explorer
‎04-17-2012 09:56 AM

I was definitely more alarmed when they did not show up. The events were packets being blocked at the firewall. UDP packets going from an internal network to an internet IP. Has anyone ever experienced this?

0 Karma
Reply

carmackd
Communicator
‎04-17-2012 09:08 AM

By broad search do you mean over "All time"?

If you're searching 6 hours later, its very possible there simply are no cisco asa events for the "new" time period you are searching over. For example, searching over the last 24 hours and doing it again 6 hours later will exclude 6 hours of results on the back end of your original search results, while adding 6 new hours of results on the front end.

0 Karma
Reply

carmackd
Communicator
‎04-17-2012 10:10 AM

When the behavior you're seeing occurs, can you return results by searching?

sourcetype=

I know you said you could by searching the sourcetype alone, but if you include the IP you're looking for, can you return results?

Do you ever experience problems with your search peers dropping off?

In your query are you searching the IP using a key valued pair i.e. field=, or simply searching for the IP as a string in the raw event data?

0 Karma
Reply

ride76
Explorer
‎04-17-2012 09:58 AM

I ran the search for the same timeframe as the original search. he timeframes were the same, and the events from the other sourcetypes were there, just not from the Cisco ASA. Does this help?

0 Karma
Reply

kristian_kolb
Ultra Champion
‎04-16-2012 05:06 PM

Well, what did the Cisco events look like ? Was there no obvious reason why they showed up? Or were you more alarmed when they didn't turn up?

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...