Getting Data In

Splunk Missing Syslog Events

dlems
Engager

Splunk is missing some of the events listed in my syslog file.

(Can't really believe this hasn't been asked. I searched but couldn't find. Possible match is http://answers.splunk.com/questions/9045/websphere-log-monitoring-missing-events, but it is also unanswered at this time.)

A small fraction of events recorded in the system log file are not found in searches. Single Splunk system (version 4.1.5), remote events are coming into syslog-ng, syslog-ng creates a single file - splunk-log.

Splunk search misses first entry below but finds second when looking for 15769:94.

(line 10047154)

Nov 22 10:46:57 192.168.1.53 '': INFO [OSAPI_PROD] [Access] Client [192.168.1.193] ReqID [15769:94] Serving request [getDHCPInfo] Args [clientIP=>192.168.1.193, macAddress=>00:06:7f:0c:ab:ff, requestID=>15769:94]

(line 10048270)

Nov 22 10:46:58 192.168.1.53 '': INFO [OSAPI_PROD] [Access] Client [192.168.1.193] ReqID [15769:94] Request [getDHCPInfo] completed in [0.599868] seconds :: Return Code [0]

The log file is 18467113 lines long, so it's not close to the end of the file. (Was thinking the file was rotated before Splunk had a chance to grab it, but this isn't the case.)

Any ideas why this is happening?

jtrucks
Splunk Employee
Splunk Employee

If this is still a problem, open a support ticket and send in a drag report.

--
Jesse Trucks
Minister of Magic
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...