Servers are missing in Sourcetype=cpu & source=vms...

Pooja1 · ‎12-20-2023

We could see only 10 hosts in index=os sourcetype=cpu & index=os source=vmstat. We should get all the unix/linux hosts on the mentioned sourcetype & source. We are using this to generate high cpu utilization, High memory utilization incidents.

Like till August end we are able to see 100+ host for the mentioned source and sourcetype but after August we are not able to see 100+ host like we could see only 10.15,7

Please help me on this

renjith_nair · ‎12-20-2023

Few preliminary things to check

Are the missing machine still up & running and part of your network?
Is Splunk still running on those missing machines?
Are the forwarders still able to connect to the indexers?
Is the *nix apps (or whichever apps used ) are installed and configured?

---
What goes around comes around. If it helps, hit it with Karma 🙂

lperini_splunk · ‎12-21-2023

Splunk documentation has a page that guides customers to troubleshoot similiar issues as you described, like when they don't find the data/events.

"Are you searching for events and not finding them, or looking at a dashboard and seeing "No result data"? Here are a few common mistakes to check."

https://docs.splunk.com/Documentation/Splunk/9.1.2/Troubleshooting/Cantfinddata

Servers are missing in Sourcetype=cpu & source=vmstat

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio