Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Internal index data and performance data is missing

uagraw01
Motivator
‎10-10-2024 10:27 AM

To investigate the issue of missing data in Splunk for a period of 3-4 hours, where gaps were observed in the _internal index as well as in performance metrics like network and CPU data, But still can't able to find out the potential root cause of data missing in Splunk. Please help me what I need to investigate more to find out the potential root cause of the data gap in Splunk.

Gap into the _internal index data

uagraw01_0-1728580827166.png

Network performance data gap is visible

uagraw01_2-1728580878038.png

Gap in the CPU performance data

uagraw01_3-1728580951381.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-10-2024 11:27 PM

Hi @uagraw01 ,

in general there can be two potential root causes:

the server is down,

there's a network or server congestion so, the internal Splunk logs have a minor priority than the other logs.

I don't think tha you can find a root cause in _internal, see the server and network logs.

Ciao.

Giuseppe

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-10-2024 11:56 PM

With congestion you would have a drop in throughput but you'd have some values if only from local internal inputs. Here you seem to have no data points whatsoever which means that it's probably an all-in-one installation or the whole splunk infrastructure was down.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-10-2024 01:33 PM

It looks like service downtime. Especially considering a sudden spike in throughput after a drop - the forwarders were pushing the queued data.

Check your splunkd.log immediately before and after that outage.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...