How to find errors reported in the data.num_of_par...

cdhippen · ‎07-11-2019

We've got some event collectors going down occasionally, and I've seen that their downtime appears to be tied very closely with high counts of data.num_of_parser_errors in introspection, but I'm having trouble finding these parser errors. I looked up index=_internal DateParserVerbose but I'm only seeing warnings in the time periods when these errors were reported and none of them are unhandled from what I can tell.

woodcock · ‎07-13-2019

I would open a support case. Don't expect a good answer quickly because support is swamped.

woodcock · ‎07-11-2019

Why does this not work?

 index=_introspection AND data.num_of_parser_errors=* AND (ERR* OR FAIL* OR CANNOT OR TIMEOUT OR CRASH* OR WARN* OR UNABLE)

cdhippen · ‎07-12-2019

I'm interested in knowing what the errors are rather than their minute to minute count, because we need to narrow down what keeps causing the EC's to crash, and we need some sort of error event or something to start off investigation.

cdhippen · ‎07-12-2019

This search doesn't find anything for the record. I added "NOT "INFO"" to the end of the search as well.

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?

Are you a member of the Splunk Community?

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Can’t make it to .conf25? Join us online!

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Index This | How many sevens are there between 1 and 100?