Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Script set up via universal forwarder stops and starts working on its own again

_pravin
Communicator
‎04-05-2022 02:42 AM

Hi Community,

 

I am having a weird issue with Splunk Enterprise. I had set up a universal internal forwarder to execute a script that gives me the list of all different processes within the Linux environment.

All of a sudden the script stopped producing results from 12 am and the panel didn't work. But again it starts working after 3 days by itself. This happened in both the test and production setup. Is there something that should be taken care of when using scripts in Universal forwarder or is there some reason for this unusual behaviour?

 

Regards,

Pravin

 

 

 

Labels (3)
Tags (2)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 06:54 AM

Please provide more information on how the script is being managed. (inputs.conf, script logic, etc)


Also, please make sure your forwarder was running during the time when you did not see data. You can run the below search for that.

| tstats count where index=_internal host="<your forwarder host>" by _indextime
| eval _time=_indextime
| timechart span=1h sum(count)

(You should see gap in this timechart if forwarder was down.)

0 Karma
Reply

_pravin
Communicator
‎04-07-2022 01:52 AM

Hi @VatsalJagani ,

 

The script is being managed by input.conf from the internal forwarder. There are a few more scripts and files being managed by the same forwarder which are working as usual but only this particular script doesn't work.

Also, the command doesn't produce any results and shows 0 results found.

| tstats count where index=_internal host="<your forwarder host>" by _indextime
| eval _time=_indextime
| timechart span=1h sum(count)

 

Thanks,

Pravin

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-07-2022 06:05 AM

Please try this search query to check if server was running all the time or not.

index=_internal host="<your forwarder host>"
| timechart span=15m count
  • If the forwarder was up all the time
    • If the server stopped sending all kinds of data during that time as you mentioned
      • then there could be a network bandwidth issue.
      • Also, note that UF has a bandwidth limit of 256Kbps by default
      • If your server is producing a lot of data then your network bandwidth could create that problem.
    • If the server stopped sending particular input data
      • then look at the logs related to that input, and see if you see any errors/warnings.
    • Check for splunkd logs to see if you see any warnings/errors around that time. It should give answer to your question.
  • If above query give you gap in the timechart then that means your forwarder was down during that time.
0 Karma
Reply
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...