Why is Splunk cutting off the data received with c...

benhurbarbieri · ‎08-22-2018

Splunk is cutting some data that is received through collect made on a server.

I have already reviewed the props.conf and inputs.conf files.

Has anyone seen anything about this?

Thankful.

nadlurinadluri · ‎08-23-2018

Ideally collect command is used only for statistical data, and I dont exactly understand as on what data is missing once you use collect command!! Can you elaborate?

pruthvikrishnap · ‎08-22-2018

Hi Ben,
Try adding the complete values to your search try mentioning the complete index, source-type etc.

| collect index=summary sourcetype=foo

Re-check if any regex is applied on any field.
Share few samples on what is missing, may be we can look into it.
Let me know if this helps.

horsefez · ‎08-22-2018

Hi @benhurbarbieri,

it's not so clear what you are talking about, but I guess you are talking about Event-Breaking.
Maybe data is coming in and the event isn't breaking at the timestamp you configured.
Stuff like that is pretty common.

To help you, you need to post some sample data and the corresponding stanza's in props/transforms.conf if there are any.

Why is Splunk cutting off the data received with collect command?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation