Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When an error occurs during integration process, will that be recorded by "_internal" index?

restinlinux
Explorer
‎09-20-2022 07:42 AM

Hey Splunkers !

 

When an error occur during integration process, will that be recorded by "_internal" index??

Will data on-boarding / data parsing errors recorded by the _internal index....?

if so , logical SPL query to trouble shoot those errors would be welcome

what kind of integration errors will be recorded in _internal index ?

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 09:40 AM

It depends on the type of integration and how it is done, but, yes, there often is something in _internal when a problem occurs during data onboarding.

Some common error messages pertain to timestamp parsing, line breaking, scripted input failure, and much more.

The exact SPL query will depend on what you seek, but start with index=_internal error and go from there.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

restinlinux
Explorer
‎09-20-2022 11:01 AM

Thanks ! @richgalloway 

Does it collects network relative issues from the endpoints .. 

And will errors that occur during forwarding data will be recorded on _internal index

The query is really a basic which bring up all the error events in the _internal index...

Looking and working on some nice SQL like to calculate all the errors based on its type (parsing , Time Stamp,etc..) during the integration

And  by analyzing the _internal index , there's a field named component with lot values which seems to be interesting .. if possible can you brief this field values.....

 

-----------

RestinLinux 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2022 11:59 AM

No, the _internal index does not collect data from endpoints (except for UFs).  It logs Splunk's own event messages, including those from search heads, indexers, and forwarders. 

Yes, the query I provided was very basic - as was the question it answered.  For more specific help, ask a more specific question.  Experiment with it until you end up with a query (or several) that suits your use case(s).

Components are useful to filter on.  There are many, perhaps hundreds, of components, so I can't document them here (not sure they're documented anywhere), but some of the more useful ones for finding onboarding issues are: LineBreakingProcessorMetrics (shows throughput, among other things), HttpListener (if using HEC), TailReader (tells about monitored files), TcpInputProc (connections from other Splunk instances), DateParserVerbose (timestamp parsing errors), Aggregator* (line merging issues).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎09-21-2022 01:57 AM

The easiest way to look those which @richgalloway pointed out is MC. Just open it and look Indexing -> Inputs -> Data Quality. Then select suitable Time Range and other offered filters and you will get list off issues. You could drill down with those values to look more detailed level of those issues.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...