I am having a weird issue with Splunk Enterprise. I had set up a universal internal forwarder to execute a script that gives me the list of all different processes within the Linux environment.
All of a sudden the script stopped producing results from 12 am and the panel didn't work. But again it starts working after 3 days by itself. This happened in both the test and production setup. Is there something that should be taken care of when using scripts in Universal forwarder or is there some reason for this unusual behaviour?
The script is being managed by input.conf from the internal forwarder. There are a few more scripts and files being managed by the same forwarder which are working as usual but only this particular script doesn't work.
Also, the command doesn't produce any results and shows 0 results found.
| tstats count where index=_internal host="<your forwarder host>" by _indextime
| eval _time=_indextime
| timechart span=1h sum(count)