Logs not ingested

abhi04 · ‎04-26-2024

Hi All,

I am unable to see the logs for the source even after seeing the file is being tailed and read in internal logs. Can you please guide as to what could be wrong here?

I can see in internal logs:
INFO Metrics - group=per_source_thruput, series="log_source_path", kbps=0.056, eps=0.193, kb=1.730, ev=6, avg_age=0.000, max_age=0

But I dont see the logs in Splunk, the recent logs are there in file in the host, other sources are also coming into splunk fine.

abhi04 · ‎04-26-2024

@richgalloway well it goes to specific index, but I have also tried the below and I dont see the source or the events:

index=* host=abc | stats values(source) 

index=* source=log_source_path

PickleRick · ‎04-26-2024

1. You can look for the source using metadata command

| metadata type=sources

or even

| metadata type=sources index=your_index

Alternatively you can use tstats

| tstats count where index IN (some, subset, of, your, indexes) source="your_source" by index

2. The data may not be findable due to a host of possible issues:

a) The data is indexed outside of your search timerange due to either data itself or wrong timestamp recognition

b) The configuration can be filtering/redirecting events to another index

c) The data may be being sent to a non-existent index and you don't have last-resort index defined

d) The source might be overwritten on ingestion.

richgalloway · ‎04-26-2024

What search are you using to try to find the data?

---
If this reply helps you, Karma would be appreciated.

Logs not ingested

using Splunk Cloud

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...