Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

does not perform log collection

ArianeSantos
New Member
‎05-02-2024 12:30 PM

We have splunk installed and the collection was happening normally, but for a few days now the collection has stopped. the forwarder is running normally. How do I solve the problem with automatic report collection and sending?

Labels (1)
Labels
0 Karma
Reply

deepakc
Builder
‎05-02-2024 11:41 PM

"How do I solve the problem with automatic report collection and sending?"

Maybe you can use the below this to check, using the metadata command this example shows if a host has not sent any data to the _internal index, this can be change to another index where you are expecting regular data to come to, and you can also change the period -5m to say 10 mins etc, you can then save this as an alert, or dashboard table  to inform you when there is no data and look as to why etc.

| metadata type=hosts index=_internal
| table host, firstTime, lastTime, recentTime 
| rename totalCount as Count firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last_Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First_Event"=strftime('First_Event', "%c") 
| fieldformat "Last_Event"=strftime('Last_Event', "%c") 
| fieldformat "Last_Update"=strftime('Last_Update', "%c") 
| where Last_Update <= relative_time(now(),"-5m")
| table host, Last_Update

  

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-02-2024 11:36 PM

Hi @ArianeSantos ,

let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct?

In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05.

If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error.

You can solve the issue forcing the TIME_FORMAT.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...