Splunk Search

Missing data UF

BRFZ
Path Finder

Hello everyone,

I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming through.

Could this issue be related to specific configurations that need to be adjusted on the forwarder, or is it possible that the problem is coming from the machines themselves? If anyone has experienced something similar or has insights on how to address this, I would greatly appreciate your advice.

Thank you in advance for your help!

Best regards,

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

There are several possible scenarios why you can't se the data you think should be getting into Splunk.

1. The data is actually not being properly read or otherwise received by the UF - check your inputs and their state, check the splunkd.log for any sign of UF having problems with inputs. And check if files are not being either not found by your input definitions or skipped due to - for example - crc duplication due to common header or if files simply cannot be read due to insufficient permissions.

2. The data might be configured to be sent to non-existant indexes. If you don't have a last-chance index defined, such events would get discarded.

3. There might be a configuration in place which does some filtering or redirection to other index(es).

4. The data might be getting indexed properly but you might be having problems with time recognition (especially with wrongly set timezones) resulting in events indexed at wrong point in time - that would mean that you're simply not seeing your events because your search range doesn't cover the events being indexed since they are "late".

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

which are missing logs?

are they missing always or only in few moments?

how did you find that there are missed logs?

Ciao.

Giuseppe

0 Karma

BRFZ
Path Finder

Hello @gcusello,

The missing data includes certain event IDs that don’t appear at all, and there are also instances where information is incomplete. For example, several fields are filled with dashes ("-"), indicating a lack of information.
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

could you share some sample of your logs: both complete and incomplete logs?

Ciao.

Giuseppe

0 Karma

BRFZ
Path Finder

For example, in some events, we have the IP address, while in others, we just see a dash ("-") or 0, even for the same event ID.
Exemple :
 

<Event xmlns=' http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID> 4624 </EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data Name='LogonProcessName'>usr </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>tst</Data><Data Name='LogonGuid'>{845152}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>mspam</Data><Data Name='ProcessName'>test.ee</Data><Data Name='IpAddress'>x.x.x.x</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>mlmpknnn</Data><Data Name='TargetOutboundUserName'>-</Data><Data </EventData></Event>

In this example, it's related to the IP address and port. In some cases, we have a specific IP address, while in others, it's just a dash ("-"). Similarly, for the port, sometimes it shows a dash ("-"), and other times it shows a 0, or sometimes the port is correctly specified.




0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's pretty normal for Windows events. Not every log has every field. And not every field has a reasonable value each time. This is from my home lab.

PickleRick_0-1724080169031.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @BRFZ ,

I don't think that's a Splunk issue: see the generated logs.

If it could be a splunk issue you could have a truncated log, but not a missing internal part of the event.

Unless you have a masking policy.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...