Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't we see indexer internal logs?

bhsakarchourasi
Path Finder
‎04-20-2023 10:46 AM

Hi All,

we are unable to see the indexers internal logs in _internal index, except mongodb logs. we verified that the input configuration is present in default inputs.conf but while checking in splunkd.log there is no TailReader process logs, the only logs which is related to seekptr (generally seen when there is rollover of the log file). We even tried configuring inputs.conf with different index and sourcetype for splunkd.log but it didn't worked.

Also there are almost half of the UFs stopped reporting to indexers. there are 6 indexers in cluster.

Any idea about the issue will be very helpful.

 

Thanks,

Bhaskar    

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bhsakarchourasi
Path Finder
‎04-24-2023 12:18 AM

This is solved but I am still not convinced with resolution, after spending hours on troubleshooting we circled back to the changes performed in last one week, then found a small typo in props.conf of one of the app pushed to indexers and search heads. disabling that app in indexers resolved the issue (later corrected the typo in idx and SHs), not sure how a typo in a app halted internal logs of indexers and some of the UFs. We have asked splunk to help investigate the issue.   

View solution in original post

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎04-20-2023 12:28 PM

Can you check that those logs are present and working on filesystem level? There could be some event on those which told the reason why splunk cannot index those?

Reply
Solved! Jump to solution
Solution

bhsakarchourasi
Path Finder
‎04-24-2023 12:18 AM

This is solved but I am still not convinced with resolution, after spending hours on troubleshooting we circled back to the changes performed in last one week, then found a small typo in props.conf of one of the app pushed to indexers and search heads. disabling that app in indexers resolved the issue (later corrected the typo in idx and SHs), not sure how a typo in a app halted internal logs of indexers and some of the UFs. We have asked splunk to help investigate the issue.   

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-24-2023 12:38 AM

Hi @bhsakarchourasi,

it depends on what's the type you found.

Anyway, good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎04-24-2023 07:51 AM

Nice to hear that you solved it. One way to analyze it more, is install all your configurations to standalone instance just like those was on production. Then use btool to check how those are expanded on that node. That way you see why that typo has this kind of side effect.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top