How to find errors reported in the data.num_of_par...

cdhippen · ‎07-11-2019

We've got some event collectors going down occasionally, and I've seen that their downtime appears to be tied very closely with high counts of data.num_of_parser_errors in introspection, but I'm having trouble finding these parser errors. I looked up index=_internal DateParserVerbose but I'm only seeing warnings in the time periods when these errors were reported and none of them are unhandled from what I can tell.

woodcock · ‎07-13-2019

I would open a support case. Don't expect a good answer quickly because support is swamped.

woodcock · ‎07-11-2019

Why does this not work?

 index=_introspection AND data.num_of_parser_errors=* AND (ERR* OR FAIL* OR CANNOT OR TIMEOUT OR CRASH* OR WARN* OR UNABLE)

cdhippen · ‎07-12-2019

I'm interested in knowing what the errors are rather than their minute to minute count, because we need to narrow down what keeps causing the EC's to crash, and we need some sort of error event or something to start off investigation.

cdhippen · ‎07-12-2019

This search doesn't find anything for the record. I added "NOT "INFO"" to the end of the search as well.

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration