Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

logs being cutoff

ralphw_SAIC
Path Finder
‎03-08-2016 06:58 AM

Running Splunk Enterprise and Splunkforwarder, both on RHEL, and we are having issues with the front portion of some logs being cutoff while the back half remains and gets indexed. The datetime stamp and server name remains, but then the front half is removed. This occurs randomly for different events.

This is an example from the same server and timestamp:
From localhost
audispd: node=localhost type=SYSCALL msg=audit(1457382989.281:3703928): arch=c000003e syscall=91 success=yes exit=0 a0=3 a1=100 a2=0 a3=7fffdedde310 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=518
8 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)

From Splunk
=0 a3=7fffdeddec90 items=1 ppid=2866 pid=2881 auid=4094 uid=4094 gid=5188 euid=4094 suid=4094 fsuid=4094 egid=5188 sgid=5188 fsgid=5188 tty=(none) ses=11541 comm="betaGraph.ksh" exe="/bin/ksh93" key=(null)

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-08-2016 08:20 AM

So these are log files from the same server, some of the events are being cutoff while other events are correct? Can you see if they have different sourcetypes? If so then you will need to edit your inputs.conf and change the sourcetype or edit your props.conf and add the linebreaking for that other sourcetype

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-09-2016 04:45 AM

There are multiples of these type logs in /var/log/messages. The only difference is the timestamp on them. Some come through ok and some get the leading portion cutoff.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2016 07:17 AM

Go into Splunk and compare the events which are being cutoff vs the events that are not being cutoff. When doing this comparison, look at the sourcetypes (There should be a pre-extracted field called sourcetype). If the sourcetypes are different then its getting cutoff when being indexed. You can fix this by modifying your props.conf

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-09-2016 11:09 AM

They are both the same sourcetype, linux_messages_syslog.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎03-09-2016 01:23 PM

Can you post your props.conf stanza?

0 Karma
Reply

ralphw_SAIC
Path Finder
‎03-10-2016 05:51 AM

I do not have a local props.conf file, just the default props.conf.

0 Karma
Reply

rosplunk07
Observer
‎01-28-2020 10:57 PM

Hey @ralphw_SAIC ... You got any solution on this? I am facing the same issue, some random logs are being cutoff intermittently from the start.
Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top