Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

does not perform log collection

ArianeSantos
New Member
‎05-02-2024 12:30 PM

We have splunk installed and the collection was happening normally, but for a few days now the collection has stopped. the forwarder is running normally. How do I solve the problem with automatic report collection and sending?

Labels (1)
Labels
0 Karma
Reply

deepakc
Builder
‎05-02-2024 11:41 PM

"How do I solve the problem with automatic report collection and sending?"

Maybe you can use the below this to check, using the metadata command this example shows if a host has not sent any data to the _internal index, this can be change to another index where you are expecting regular data to come to, and you can also change the period -5m to say 10 mins etc, you can then save this as an alert, or dashboard table  to inform you when there is no data and look as to why etc.

| metadata type=hosts index=_internal
| table host, firstTime, lastTime, recentTime 
| rename totalCount as Count firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last_Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First_Event"=strftime('First_Event', "%c") 
| fieldformat "Last_Event"=strftime('Last_Event', "%c") 
| fieldformat "Last_Update"=strftime('Last_Update', "%c") 
| where Last_Update <= relative_time(now(),"-5m")
| table host, Last_Update

  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-02-2024 11:36 PM

Hi @ArianeSantos ,

let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct?

In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05.

If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error.

You can solve the issue forcing the TIME_FORMAT.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...

Keep the Learning Going with the New Best of .conf Hub

Hello Splunkers, With .conf26 getting closer, there’s already a lot of excitement building around this year’s ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...