Re: does not perform log collection

ArianeSantos

We have splunk installed and the collection was happening normally, but for a few days now the collection has stopped. the forwarder is running normally. How do I solve the problem with automatic report collection and sending?

deepakc

"How do I solve the problem with automatic report collection and sending?"

Maybe you can use the below this to check, using the metadata command this example shows if a host has not sent any data to the _internal index, this can be change to another index where you are expecting regular data to come to, and you can also change the period -5m to say 10 mins etc, you can then save this as an alert, or dashboard table to inform you when there is no data and look as to why etc.

| metadata type=hosts index=_internal
| table host, firstTime, lastTime, recentTime 
| rename totalCount as Count firstTime as "First_Event" lastTime as "Last_Event" recentTime as "Last_Update" 
| fieldformat Count=tostring(Count, "commas") 
| fieldformat "First_Event"=strftime('First_Event', "%c") 
| fieldformat "Last_Event"=strftime('Last_Event', "%c") 
| fieldformat "Last_Update"=strftime('Last_Update', "%c") 
| where Last_Update <= relative_time(now(),"-5m")
| table host, Last_Update

gcusello

Hi @ArianeSantos ,

let me understand: your ingestion correcty worked until the 30th of April and stopped from the 1st of May, is it correct?

In this case, check the date format of your data and check if the events of the 1st of may was indexed with timestamp 2024-01-05.

If you have an european date format (dd/mm/yyyy) and you didn't forced the format (TIESTAMP_FORMAT = %d/%m/%Y), Splunk by default uses the american format (mm/dd/yyyy), so in the first 12 days of the month, you have an error.

You can solve the issue forcing the TIME_FORMAT.

Ciao.

Giuseppe

does not perform log collection

Windows

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?