Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk occasionally not capturing all logs

rileykohl21
New Member
‎02-25-2019 10:06 AM

Hey all, I'm running into some odd behavior. I currently have splunkforwarder set up on a container and it should be pulling in logs from three log files. Here's a quick rundown of the issue:

  • "daily.one.log", "daily.two.log", and "daily.three.log" are generated when I run three different backups for another application
  • Backups run around 1am every morning and are usually pretty quick (a matter of minutes)
  • a Splunk search for those files usually returns the complete contents of all three logs for a given day
  • every few days or so, Splunk will not have all of the lines from the log files or even all the logs
  • A recent example would be that Splunk had the complete logs for "daily.one.log", nothing from "daily.two.log", and some of the lines from "daily.three.log"

Any ideas as to what could be causing this to happen sporadically?

Tags (2)
0 Karma
Reply

whrg
Motivator
‎02-26-2019 01:39 AM

Perhaps you can find the source of the problem via Add Data / Upload in Splunk web interface: Upload a faulty file, select the according sourcetype and check if everything is alright.

One idea: Perhaps timestamp recognition is not working correctly. Again, use Add Data / Upload to verify that all timestamps are parsed correctly. If not, have a look at Configure timestamp recognition, specifically TIME_FORMAT and TIME_PREFIX in props.conf.

Another idea: Splunk will not index files which are completely identical so that Splunk does not index log rotated files. (I'm not sure though if this applies in your case, since you said that sometimes only partial files are indexed.)
You can prevent this behaviour in your inputs.conf with:

crcSalt = <SOURCE>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...