Events are not getting generated after the date 15th June, 2019 for the following query.
index=webmethods_prd sourcetype="webmethods:wmerror"
However, events are getting generated for the dates before 15th June,2019.
User needs the events to be generated for the dates after 15th June, 2019 as well.
What could be the problem?
Hi
dbmon-tail is probably part of DB Connect v.1.x? Maybe someone has updated OS or something else on that server. If so, it’s probably easiest to figure out if you could do a fresh instal of DB Connect 3.3.x and configure it to connect DB of Webmethods..
r. Ismo
Hi
dbmon-tail is probably part of DB Connect v.1.x? Maybe someone has updated OS or something else on that server. If so, it’s probably easiest to figure out if you could do a fresh instal of DB Connect 3.3.x and configure it to connect DB of Webmethods..
r. Ismo
The issue was "Java Bridge server was not running". We engaged splunk support and they fixed the issue.
We configured to connect DB of webmethods and restarted splunk. That resolved the issue.
Hi @pratapa ,
to debug ingesting you have to check all the data supply chain:
Ciao.
Giuseppe
data are generated by the source system?
I need to check from the user what data he is looking for.
the source system reach to send logs to the Indexer?
Yes source system can able to reach indexer to send logs.
This I verified by the following query.
index=_internal host=aeapwmora02
Events got generated of today's data.
are index and sourcetype correct?
I verified the inputs.conf on the source sytem but nothing defined in inputs.conf
[root@aeaxwmora02 local]# pwd
/opt/splunkforwarder/etc/system/local
[root@aeaxwmora02 local]# cat inputs.conf
[default]
host = aeaxwmora02
[root@aeaxwmora02 local]#
We found that index webmethods_prd is existing by the following query.
| eventcount summarize=false index=* index=_* | dedup index | fields index
and sourcetype is existing by the following query.
sourcetype="webmethods:wmerror" host=aeaxwmora02
Events are getting generated and we got latest event dated 6/15/2019.
No events generated after the data 6/15/2019.
Under interesting fields, value of index is showing as webmethods_prd.
What should be the next steps.
Do I need to get the information from the user what source files he is looking for along with the path.
and configure in inputs.conf
Hi @pratapa ,
if logs are generated by the target system, try to force sourcetype in inputs.conf.
Then check in the past received logs, if the timestamp is correctly read by Splunk or if there some difference (e.g. solar time, date format, etc...).
Ciao.
Giuseppe
User says that it’s a database, not a file, and hence doesn’t follow the usual Splunk forwarder file indexing process.
Source is like this
dbmon-tail://wmb2bprd/webmethods:WMERROR
How should I go.
Hi @pratapa ,
insert in your inputs.conf the sourcetype to assign to this log.
Then running a search in Splunk on the old logs, check if the Timestamp is correctly assigned to the events.
Ciao.
Giuseppe
Hi,
I incorporated the following in inputs.conf.
[monitor://dbmon-tail://wmb2bprd/webmethods:WMERROR]
index = webmethods_prd
sourcetype = webmethods:wmerror
disabled = false
[root@aeaxwmora02 local]# pwd
/opt/splunkforwarder/etc/system/local
[root@aeaxwmora02 local]# cat inputs.conf
[default]
host = aeaxwmora02
[monitor://dbmon-tail://wmb2bprd/webmethods:WMERROR]
index = webmethods_prd
sourcetype = webmethods:wmerror
disabled = false
Restarted Splunk, but still showing data till 6/15/2019. Data after 6/15/2019 is not showing.
Hi @pratapa ,
I don't see errors.
could you share an example of data (before 15) and the search you're running?
Ciao.
Giuseppe
Following is the search query.
index=webmethods_prd sourcetype=webmethods:wmerror
Time range picker : All time
Sample data of 15th June, 2019.
15/06/2019 03:30:46.948 | aeaxwmora02 | dbmon-tail://wmb2bprd/webmethods:WMERROR | webmethods:wmerror |
Type Field Value Actions
This issue is resolved.