Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk is not logging data

pratapa
Explorer
‎12-04-2019 10:01 PM

User complained that Splunk is not logging data

Data being stopped logging after 1:40 PM on Tue Dec 3rd.

Please help me in resolving the problem.

alt text

Preview file
16 KB
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-05-2019 05:06 AM

Hi @pratapa,
there could be many reasons because your Splunk doesn't receive data, you should debug point by point all your architecture:

  • in the last day, there was any change in configuration (roles, grants, deployed TAs)?
  • another user (e.g. admin) can see all the data?
  • is there any block in firewall routes between Universal Forwarder and Splunk Server?
  • from that server, you're continuing to receive in the same period Splunk internal logs (index=_internal host=your_host)?
  • the target server created the new logs?

Then check the inputs.conf deployed to that server.

Ciao.
Giuseppe

0 Karma
Reply

kartm2020
Communicator
‎12-05-2019 05:01 AM

Hi Pratapa,
Can you please provide the type of logs ?
Is it stopped from all the sources or Host or Sourcetype ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-05-2019 05:01 AM

We have to know more about your Splunk environment to offer specific help, but there are some things you can check.
Are the forwarders still running?
Is the data source still producing events?
If the data comes from a monitored file, is the file still present and has permissions allowing Splunk to read it?
Did any network changes happen that might prevent the data from getting to the indexer(s)?
Are there any errors in splunkd.log that might indicate a problem getting data in?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...