Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are indexers not parsing events?

devin07
Explorer
‎01-21-2023 06:00 AM

Fairly new to Splunk so may not have the correct terms for everything. Currently working in a distributed environment with Splunk Enterprise with windows and Linux host. These hosts are sending logs via UFs to the clustered indexers. There is also an HF that is receiving logs from apps and AWS. My issue is that the logs coming from my UF are not being parsed into field name-value pairs. The windows/Linux host, indexers, and Search Heads all have the splunk_TA_nix and splunk_TA_windows add-ons installed.  I almost feel like my indexers are not parsing the data that is coming in.

Log data is getting into Splunk and I can see my events however it is all in a format similar to this, very crude I know.

 

 

<data><data><data>1039<data><data><data>time<data><data>program<data>splunk<data>

 

 

I would like it to be in field name values.  At some point I was receiving logs in this format however I am no longer. What could be causing this? 

 

 

time: 10:39
program: splunk

 

 

 

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2023 09:24 AM

Hi @devin07,

are you logs in XML or raw?

try using 

renderxml=false

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2023 08:35 AM

Hi @devin07,

one question: do logs from UFs pass throgh the HF?

if yes, you have to install windows and linux TA also on HF.

I suppose that you are using the Linux and windows TAs also on UFs to input data, is it correct?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

devin07
Explorer
‎01-21-2023 08:48 AM

Hey, @gcusello  Thanks for responding, so no the UFs do not send logs to the HF in our env. The UFs send logs straight to the indexers. We are using the HF for AWS cloud trail/cloudwatch logs and for some applications. 

The Linux and windows TAs on the UF are used to input data, yes.  Data is getting into Splunk fine, it's just not being parsed it seems if that makes since

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2023 08:50 AM

Hi @devin07,

I suppose that you're using the same TA both on UFs and IDXs, if not check the sourcetype assigned on UFs.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

devin07
Explorer
‎01-21-2023 09:08 AM

Same source type, I used a DS to deploy the TA and just checked the source types are the same

0 Karma
Reply
Solved! Jump to solution

devin07
Explorer
‎01-21-2023 09:20 AM

Not sure if this helps I was looking further and under index=windeventlog I am only seeing a source type of XmlWinEventLog and not just a source type of WinEventLog our inputs.conf does have renderxml=true. So if it helps it is looking like the XmlWinEventLog source types are not being parsed correctly. 

Could it be that my fields are being extracted automatically?

 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2023 09:24 AM

Hi @devin07,

are you logs in XML or raw?

try using 

renderxml=false

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

devin07
Explorer
‎01-21-2023 11:02 AM

Thanks @gcusello This was it, we had used a file that had this set to true rather than false thank you!!!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-21-2023 11:09 PM

Hi @devin07 ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...