Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

malformedEventIndex, how to troubleshoot and fix logs ending up here

kmfpo
Explorer
‎04-13-2020 06:39 PM

Hello all,

I created a malformedEventIndex ( malformedevent), per inputs.conf. I see 400 million+/day from thousands of hosts going to this index from my syslog servers (have a HF that sends to indexer cluster).

I tried looking at the events to see what would cause them to end up in this index, and patterns shows:

100%    __default_indexprocessor_body

This doesn't tell me anything. I went through the reasons as to why events may end up here and none seem to match. 

* Routes the following kinds of events to the specified index:
    * events destined for read-only indexes ### we don't have these
    * log events destined for datatype=metric indexes ### no logs on syslog server go to metric indexes
    * log events with invalid raw data values, like all-whitespace raw ### I cat log files on syslog server and they are not all-whitespace 
    * metric events destined for datatype=event indexes ### these systems are not sending metric events
    * metric events with invalid metric values, like non-numeric values ### see above
    * metric events lacking required attributes, like metric name ### see above

Documentation on this index is extremely sparse so I am not sure where to go from here. Please help.

0 Karma
Reply

archive
New Member
‎06-28-2021 06:40 AM

I am having the same issue, would love to bump this for visibility and for an update. Thanks!

0 Karma
Reply

GregoryHoward
New Member
‎04-21-2021 07:02 AM

Hi,

We made a support ticket about this behavior.

This was the answer :

"

Reproduction went quickly this time, I was able to successfully reproduce this issue on 8.0.1 and 8.1.2 versions.

This smells like a potential bug impacting many versions.

I am raising now an internal request to developers team to check and review it.

I will keep you informed about the progress, but it may take some time to get developers engaged.

"

Regards,

Gregory

0 Karma
Reply

kyaparla
Path Finder
‎09-16-2021 07:01 AM

Hi All,

Any update on this issue?  We were seeing this issue on 8.1.3 version, and continue to see after upgrading to 8.2.2.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...