Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

TCP-SSL is receiving data but events are not getting indexed

livioricciulli
Engager
‎06-01-2017 05:08 PM

I am developing and app and everything worked fine for a while. I then tried to package everything under my app default directory including the input.conf:
[tcp-ssl:xxxx]
sourcetype = syslog

[SSL]
rootCA = /opt/splunk/etc/certs/cacert.pem
serverCert = /opt/splunk/etc/certs/splunk.pem
password = xxxxx

I can see the packets coming in the port using tcpdump; so, Splunk is receiving network data but the idexing stopped; the data is diappearing. There are no licensing issues and I am stuck. No errors How do I debug this?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livioricciulli
Engager
‎06-02-2017 11:01 AM

Thanks I found the problem. The Splunk timestamp processor was not able to process the <\d+> field of syslog messages. I fixed it with DATETIME_CONFIG = CURRENT in the props.conf file which disables the timestamp processor.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

livioricciulli
Engager
‎06-02-2017 11:01 AM

Thanks I found the problem. The Splunk timestamp processor was not able to process the <\d+> field of syslog messages. I fixed it with DATETIME_CONFIG = CURRENT in the props.conf file which disables the timestamp processor.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎06-02-2017 11:11 AM

@livioricciulli - If this is the working solution to your question, please don't forget to click "Accept" in order to close out your question. That way others can easily find it if they're having the same issue. Thanks!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎06-02-2017 06:09 AM

Search you _internal index for err* or warn*

index=_internal log_level=err* OR log_level=warn*

Sometimes its easier to restart splunk, then perform the search looking at last 15 minutes (to reduce the clutter you will find).

If there is an ssl issue it should show up at the time of the restart.

0 Karma
Reply
Solved! Jump to solution

skalliger
Motivator
‎06-02-2017 02:28 AM

Can you please post your complete inputs.conf and outputs.conf (masked of course) from your app directory and the inputs.conf from your indexer.
This would help.

Skalli

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...