Solved: Re: Nothing gets indexed for unknown reason

splunk0 · ‎03-25-2018

All I see in the log is:

log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2506 :INFO: Successfully create opsec environment
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2535 :INFO: Successfully initialize client/server-pair
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles code_line_no:2553 :INFO: Successfully create session
[ 161687680][25 Mar 14:30:54] get_pkxld_path: cpshared_filename failed
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2596 :INFO: lea_get_first_file_info returned 4
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2597 :INFO: Available FW-1 Logfiles
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399793794 aID 1399793794
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399814080 aID 1399814080
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399829518 aID 1399829518
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399841761 aID 1399841761
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID 1399852792 aID 1399852792

splunk0 · ‎04-18-2018

I eventually just deleted all and installed from the Wen Interface. It works fine.

View solution in original post

splunk0 · ‎04-18-2018

I eventually just deleted all and installed from the Wen Interface. It works fine.

richgalloway · ‎04-18-2018

@splunk0 If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

tiagofbmm · ‎03-25-2018

We need more info about this. What were you trying to ingest? Can you search the internal indexes or the log you are showing is from a tail in the command line?

What is your environment, standalone, distributed?

splunk0 · ‎03-25-2018

I just followed this guide:
https://docs.splunk.com/Documentation/AddOns/released/OPSEC-LEA/Troubleshoot

The logs in the original post are from splunk_ta_checkpoint-opseclea_modinput.log
just continues with the same type of message:
log_level=2 file:lea_loggrabber.cpp func_name:get_fw1_logfiles_dict code_line_no:2601 :INFO: - purged nID aID
countless of times but nothing gets logged to index=opsec

The beginning of the file shows: get_pkxld_path: cpshared_filename failed
Maybe that is an indecation for something?

Does it matter if its standalone or not? I don't think it matters.

splunker12er · ‎04-03-2018

Do you manage this checkpoint device ?

check this link for the error message
The HKLM_registry.data file is corrupted.

splunk0 · ‎04-18-2018

I eventually just deleted all and installed from the Wen Interface. It works fine.

Nothing gets indexed for unknown reason

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation

Nothing gets indexed for unknown reason

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future