Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

does not perform log collection

ArianeSantos
New Member
a month ago

We have splunk installed and the collection was happening normally, but for a few days now the collection has stopped. the forwarder is running normally. How do I solve the problem with automatic report collection and sending?

Labels (1)
Labels
0 Karma
Reply

deepakc
Builder
a month ago

"How do I solve the problem with automatic report collection and sending?"

Maybe you can use the below this to check, using the metadata command this example shows if a host has not sent any data to the _internal index, this can be change to another index where you are expecting regular data to come to, and you can also change the period -5m to say 10 mins etc, you can then save this as an alert, or dashboard table  to inform you when there is no data and look as to why etc.

| metadata type=hosts index=_internal
| table host, firstTime, lastTime, recentTime 
| rename totalCount as Count firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last_Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First_Event"=strftime('First_Event', "%c") 
| fieldformat "Last_Event"=strftime('Last_Event', "%c") 
| fieldformat "Last_Update"=strftime('Last_Update', "%c") 
| where Last_Update <= relative_time(now(),"-5m")
| table host, Last_Update

  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
a month ago

Hi @ArianeSantos ,

let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct?

In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05.

If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error.

You can solve the issue forcing the TIME_FORMAT.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...