Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

jyppy
Explorer
‎08-21-2014 03:46 PM

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!

I restart splunk and indexing resumes...

I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!

Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

View solution in original post

Reply
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-25-2014 06:27 AM

Accept your own answer. Good to know you found the solution.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-22-2014 12:38 AM

Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:

  • Check if events are actually coming in but for some reason getting a wrong timestamp, by doing a realtime search for your host. Or run a search for your host and use the _index_earliest parameters, for instance "_index_earliest=-15m"
  • Check splunkd.log for errors related to these events.
Reply
Solved! Jump to solution

jyppy
Explorer
‎08-22-2014 06:31 PM

Great tip,

looking at the splunkd log.... full of " Failed to parse timestamp."

search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"

08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|

I'll have to check to source and see the format of syslog event. NTP clock is OK....

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...