How to find errors reported in the data.num_of_par...

cdhippen · ‎07-11-2019

We've got some event collectors going down occasionally, and I've seen that their downtime appears to be tied very closely with high counts of data.num_of_parser_errors in introspection, but I'm having trouble finding these parser errors. I looked up index=_internal DateParserVerbose but I'm only seeing warnings in the time periods when these errors were reported and none of them are unhandled from what I can tell.

woodcock · ‎07-13-2019

I would open a support case. Don't expect a good answer quickly because support is swamped.

woodcock · ‎07-11-2019

Why does this not work?

 index=_introspection AND data.num_of_parser_errors=* AND (ERR* OR FAIL* OR CANNOT OR TIMEOUT OR CRASH* OR WARN* OR UNABLE)

cdhippen · ‎07-12-2019

I'm interested in knowing what the errors are rather than their minute to minute count, because we need to narrow down what keeps causing the EC's to crash, and we need some sort of error event or something to start off investigation.

cdhippen · ‎07-12-2019

This search doesn't find anything for the record. I added "NOT "INFO"" to the end of the search as well.

How to find errors reported in the data.num_of_parser_errors field from index=_introspection?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation