Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

logs being cutoff

ralphw_SAIC
Path Finder
‎03-08-2016 06:58 AM

Running Splunk Enterprise and Splunkforwarder, both on RHEL, and we are having issues with the front portion of some logs being cutoff while the back half remains and gets indexed. The datetime stamp and server name remains, but then the front half is removed. This occurs randomly for different events.

This is an example from the same server and timestamp:
From localhost
audispd: node=localhost type=SYSCALL msg=audit(1457382989.281:3703928): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=100 a2=0 a3=7fffdedde310 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=518
8 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)

From Splunk
=0 a3=7fffdeddec90 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=5188 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-08-2016 08:20 AM

So these are log files from the same server, some of the events are being cutoff while other events are correct? Can you see if they have different sourcetypes? If so then you will need to edit your inputs.conf and change the sourcetype or edit your props.conf and add the linebreaking for that other sourcetype

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-09-2016 04:45 AM

There are multiples of these type logs in /var/log/messages. The only difference is the timestamp on them. Some come through ok and some get the leading portion cutoff.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2016 07:17 AM

Go into Splunk and compare the events which are being cutoff vs the events that are not being cutoff. When doing this comparison, look at the sourcetypes (There should be a pre-extracted field called sourcetype). If the sourcetypes are different then its getting cutoff when being indexed. You can fix this by modifying your props.conf

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-09-2016 11:09 AM

They are both the same sourcetype, linux_messages_syslog.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2016 01:23 PM

Can you post your props.conf stanza?

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-10-2016 05:51 AM

I do not have a local props.conf file, just the default props.conf.

0 Karma
Reply

rosplunk07
Observer
‎01-28-2020 10:57 PM

Hey @ralphw_SAIC ... You got any solution on this? I am facing the same issue, some random logs are being cutoff intermittently from the start.
Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Related Topics
Logs sending being cutoff
Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...