Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

When an error occurs during integration process, will that be recorded by "_internal" index?

restinlinux
Explorer
‎09-20-2022 07:42 AM

Hey Splunkers !

 

When an error occur during integration process, will that be recorded by "_internal" index??

Will data on-boarding / data parsing errors recorded by the _internal index....?

if so , logical SPL query to trouble shoot those errors would be welcome

what kind of integration errors will be recorded in _internal index ?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 09:40 AM

It depends on the type of integration and how it is done, but, yes, there often is something in _internal when a problem occurs during data onboarding.

Some common error messages pertain to timestamp parsing, line breaking, scripted input failure, and much more.

The exact SPL query will depend on what you seek, but start with index=_internal error and go from there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

restinlinux
Explorer
‎09-20-2022 11:01 AM

Thanks ! @richgalloway 

Does it collects network relative issues from the endpoints .. 

And will errors that occur during forwarding data will be recorded on _internal index

The query is really a basic which bring up all the error events in the _internal index...

Looking and working on some nice SQL like to calculate all the errors based on its type (parsing , Time Stamp,etc..) during the integration

And  by analyzing the _internal index , there's a field named component with lot values which seems to be interesting .. if possible can you brief this field values.....

 

-----------

RestinLinux 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 11:59 AM

No, the _internal index does not collect data from endpoints (except for UFs).  It logs Splunk's own event messages, including those from search heads, indexers, and forwarders. 

Yes, the query I provided was very basic - as was the question it answered.  For more specific help, ask a more specific question.  Experiment with it until you end up with a query (or several) that suits your use case(s).

Components are useful to filter on.  There are many, perhaps hundreds, of components, so I can't document them here (not sure they're documented anywhere), but some of the more useful ones for finding onboarding issues are: LineBreakingProcessorMetrics (shows throughput, among other things), HttpListener (if using HEC), TailReader (tells about monitored files), TcpInputProc (connections from other Splunk instances), DateParserVerbose (timestamp parsing errors), Aggregator* (line merging issues).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-21-2022 01:57 AM

The easiest way to look those which @richgalloway pointed out is MC. Just open it and look Indexing -> Inputs -> Data Quality. Then select suitable Time Range and other offered filters and you will get list off issues. You could drill down with those values to look more detailed level of those issues.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...