Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a configuration that would set Splunk to ignore log events above a daily threshold?

jyppy
Explorer
‎08-21-2014 03:46 PM

I have 2 hosts logging to splunk via syslog. Events are received for both for a while... then one of them (the most verbose of the 2) is being ignored after ~ 24hours !!!

I restart splunk and indexing resumes...

I've noticed that the "Data Summary" shows events being received. (time stamps are current), but using the Search, I get no recent entry shows for that host!!!

Is there a configuration option that would set Splunk to ignore log events above a daily threshold? Nothing is showing in "Splunk Messages"

Thanks

Reply
1 Solution
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

View solution in original post

Reply
Solved! Jump to solution
Solution

jyppy
Explorer
‎08-25-2014 04:04 AM

The root cause was multiline support.

1) I added the following to my props.conf file:

[src-voip]
BREAK_ONLY_BEFORE = ^<\d+\>

2) created a new data source with this source type.

All good now.

Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-25-2014 06:27 AM

Accept your own answer. Good to know you found the solution.

0 Karma
Reply
Solved! Jump to solution

Ayn
Legend
‎08-22-2014 12:38 AM

Nope, there's no such configuration setting. Your problems are due to something else. I don't know exactly what unfortunately, but some troubleshooting tips:

  • Check if events are actually coming in but for some reason getting a wrong timestamp, by doing a realtime search for your host. Or run a search for your host and use the _index_earliest parameters, for instance "_index_earliest=-15m"
  • Check splunkd.log for errors related to these events.
Reply
Solved! Jump to solution

jyppy
Explorer
‎08-22-2014 06:31 PM

Great tip,

looking at the splunkd log.... full of " Failed to parse timestamp."

search string: index=_internal source="/splunk/var/log/splunk/splunkd.log"

08-23-2014 11:19:56.801 +1000 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Fri Aug 22 01:50:00 2014). Context: source::udp:50514|host::192.168.2.200|syslog|

I'll have to check to source and see the format of syslog event. NTP clock is OK....

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...