Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Missing data UF

BRFZ
Communicator
‎08-19-2024 03:00 AM

Hello everyone,

I installed and configured the Splunk Forwarder on a machine. While the logs are being forwarded to Splunk, I’ve noticed that some data is missing from the logs that are coming through.

Could this issue be related to specific configurations that need to be adjusted on the forwarder, or is it possible that the problem is coming from the machines themselves? If anyone has experienced something similar or has insights on how to address this, I would greatly appreciate your advice.

Thank you in advance for your help!

Best regards,

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-19-2024 04:12 AM

There are several possible scenarios why you can't se the data you think should be getting into Splunk.

1. The data is actually not being properly read or otherwise received by the UF - check your inputs and their state, check the splunkd.log for any sign of UF having problems with inputs. And check if files are not being either not found by your input definitions or skipped due to - for example - crc duplication due to common header or if files simply cannot be read due to insufficient permissions.

2. The data might be configured to be sent to non-existant indexes. If you don't have a last-chance index defined, such events would get discarded.

3. There might be a configuration in place which does some filtering or redirection to other index(es).

4. The data might be getting indexed properly but you might be having problems with time recognition (especially with wrongly set timezones) resulting in events indexed at wrong point in time - that would mean that you're simply not seeing your events because your search range doesn't cover the events being indexed since they are "late".

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-19-2024 03:14 AM

Hi @BRFZ ,

which are missing logs?

are they missing always or only in few moments?

how did you find that there are missed logs?

Ciao.

Giuseppe

0 Karma
Reply

BRFZ
Communicator
‎08-19-2024 05:36 AM

Hello @gcusello,

The missing data includes certain event IDs that don’t appear at all, and there are also instances where information is incomplete. For example, several fields are filled with dashes ("-"), indicating a lack of information.
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-19-2024 05:39 AM

Hi @BRFZ ,

could you share some sample of your logs: both complete and incomplete logs?

Ciao.

Giuseppe

0 Karma
Reply

BRFZ
Communicator
‎08-19-2024 07:13 AM

For example, in some events, we have the IP address, while in others, we just see a dash ("-") or 0, even for the same event ID.
Exemple :
 

<Event xmlns=' http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID> 4624 </EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data Name='LogonProcessName'>usr </Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>tst</Data><Data Name='LogonGuid'>{845152}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>mspam</Data><Data Name='ProcessName'>test.ee</Data><Data Name='IpAddress'>x.x.x.x</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>mlmpknnn</Data><Data Name='TargetOutboundUserName'>-</Data><Data </EventData></Event>

In this example, it's related to the IP address and port. In some cases, we have a specific IP address, while in others, it's just a dash ("-"). Similarly, for the port, sometimes it shows a dash ("-"), and other times it shows a 0, or sometimes the port is correctly specified.




0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-19-2024 08:09 AM

That's pretty normal for Windows events. Not every log has every field. And not every field has a reasonable value each time. This is from my home lab.

PickleRick_0-1724080169031.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-19-2024 07:50 AM

Hi @BRFZ ,

I don't think that's a Splunk issue: see the generated logs.

If it could be a splunk issue you could have a truncated log, but not a missing internal part of the event.

Unless you have a masking policy.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...