Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

does not perform log collection

ArianeSantos
New Member
‎05-02-2024 12:30 PM

We have splunk installed and the collection was happening normally, but for a few days now the collection has stopped. the forwarder is running normally. How do I solve the problem with automatic report collection and sending?

Labels (1)
Labels
0 Karma
Reply

deepakc
Builder
‎05-02-2024 11:41 PM

"How do I solve the problem with automatic report collection and sending?"

Maybe you can use the below this to check, using the metadata command this example shows if a host has not sent any data to the _internal index, this can be change to another index where you are expecting regular data to come to, and you can also change the period -5m to say 10 mins etc, you can then save this as an alert, or dashboard table  to inform you when there is no data and look as to why etc.

| metadata type=hosts index=_internal
| table host, firstTime, lastTime, recentTime 
| rename totalCount as Count firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last_Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First_Event"=strftime('First_Event', "%c") 
| fieldformat "Last_Event"=strftime('Last_Event', "%c") 
| fieldformat "Last_Update"=strftime('Last_Update', "%c") 
| where Last_Update <= relative_time(now(),"-5m")
| table host, Last_Update

  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-02-2024 11:36 PM

Hi @ArianeSantos ,

let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct?

In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05.

If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error.

You can solve the issue forcing the TIME_FORMAT.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...