Getting Data In

Syslog logs sent but not the last

rene847
Path Finder

Hi,
(Sorry for my English, I'm French)

I send my logs via syslog on port 514 or 40514 and I have a problem with this new system.
I send 10 tests (logger) and I receive only 9. If I send 5, I receive 4. If I send 19, I receive 18 (always missing the last one on this new system).

When I use TCPDump, to see what is send and I have always 10 if test is 10, 5 is test is 5..... All my log is send but in the Splunk Search engine, I miss the last? I dont know why, its very strange....
I get more than 50 systems and the problem is only on this new system.

It's the same system for another question here: http://answers.splunk.com/answers/230364/french-syslog.html

(I have 2 UF with VIP, 1 indexer, 1 search engine and 1 for management)

What you thought? Are there other tests that I could do?
Do you have a track for help me to try to correct this problem?

Thank you

Tags (2)
0 Karma
1 Solution

rene847
Path Finder

Finally, the application logs with French accents are not well managed.
The developers have removed the accents, it was the solution

View solution in original post

0 Karma

rene847
Path Finder

Finally, the application logs with French accents are not well managed.
The developers have removed the accents, it was the solution

0 Karma

woodcock
Esteemed Legend

My suspicion is that this is a buffer flush problem and that the last event will come, but not until something forces the buffer to flush. If you send 5 and only get 4 and then send another 2, do you get the 5th one from the first batch or is it gone? If the former, then there is probably something you can do to force syslog to flush when you need it to (after a certain period of no more input).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...