How to find errors reported in the data.num_of_par...

cdhippen · ‎07-11-2019

We've got some event collectors going down occasionally, and I've seen that their downtime appears to be tied very closely with high counts of data.num_of_parser_errors in introspection, but I'm having trouble finding these parser errors. I looked up index=_internal DateParserVerbose but I'm only seeing warnings in the time periods when these errors were reported and none of them are unhandled from what I can tell.

woodcock · ‎07-13-2019

I would open a support case. Don't expect a good answer quickly because support is swamped.

woodcock · ‎07-11-2019

Why does this not work?

 index=_introspection AND data.num_of_parser_errors=* AND (ERR* OR FAIL* OR CANNOT OR TIMEOUT OR CRASH* OR WARN* OR UNABLE)

cdhippen · ‎07-12-2019

I'm interested in knowing what the errors are rather than their minute to minute count, because we need to narrow down what keeps causing the EC's to crash, and we need some sort of error event or something to start off investigation.

cdhippen · ‎07-12-2019

This search doesn't find anything for the record. I added "NOT "INFO"" to the end of the search as well.

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University