Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Troubleshooting

revanthammineni
Path Finder
‎05-14-2020 08:45 PM

1) If splunk can't read a date in certain instances, What troubleshooting I should do?

2) If I've onboarded application logs into splunk and the agent is running, But when I query, I don't get any result. What can be the causes and how to identify?

Tags (1)
0 Karma
Reply

ragedsparrow
Contributor
‎05-14-2020 09:24 PM

  1. What do you mean "Certain instances"?

    Splunk has a number of pre-defined sourcetypes (like JSON, CSV, syslog, etc) that automatically will do things like event parsing and timestamp recognition. If that is not happening with certain instances of your logs, you may have to tell Splunk how to assign the timestamp to your logs in the props.conf

  2. I would start by using $SPLUNK_HOME/bin/splunk btool and looking at your inputs to make sure thinks like the inputs hostname is correct, the index name is correct. You'd also want to use btool to ensure your outputs are correct. Then you could start looking into the Splunkd.log ( $SPLUNK_HOME/var/log/splunk/splunkd.log ) for any errors that may be occurring. (like, are you getting any errors when trying to connect to your indexer? If all of that checks out and you are seeing monitoring of your logs on the forwarder, then you would want to check your indexer for things like ensuring the index exists and if the role has permissions to search it.

Here is some good resources for timestamping and linebreaking:

For troubleshooting:

This is just to get you started, though. There are a TON of resources out there.

Reply

revanthammineni
Path Finder
‎05-14-2020 10:41 PM

Thank you very much! I appreciate your fast response.

0 Karma
Reply

revanthammineni
Path Finder
‎05-14-2020 09:33 PM

Thanks for the reply. Sorry I meant data. If I don't see data coming into the splunk or If I miss data. Then what all the troubleshooting I should do?

Also, What Troubleshooting is required for the performance issues?

0 Karma
Reply

ragedsparrow
Contributor
‎05-14-2020 09:50 PM

The Splunk Monitoring Console is excellent for troubleshooting performance issues:

Here is also some documentation around indexing performance troubleshooting:

If you are having issues with data missing, or not being read by Splunk, check things like file and directory permissions for the User running Splunk and reference this documentation:

0 Karma
Reply

ragedsparrow
Contributor
‎05-14-2020 09:51 PM

There is also an excellent Troubleshooting course offered by Splunk: https://www.splunk.com/en_us/training/courses/troubleshooting-splunk-enterprise.html

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...