Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I seeing a lot of name=cooked_output events in _internal?

vicvaughan
Explorer
‎07-18-2016 11:03 AM

All of a sudden, noticed getting tons of events in _internal with name=cooked_output. What could be causing this behavior?

0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 01:48 PM

This event is logged when Splunk sends data over the network. Data can be sent in two ways 1) cooked-when it is sent to another splunk instance and 2)uncooked-when it is being sent somewhere else like to a syslog server. My guess is this the log of a universal forwarder which is sending data to a Splunk indexer. The number of these events will scale proportional to the universal forwarders. They are benign and not a cause for concern. They are provided for informational reasons

0 Karma
Reply

vicvaughan
Explorer
‎07-19-2016 02:04 PM

Thanks for your answer, Craig. The thing that was troubling is that starting on June 18, we have gone from about 10 of these per day to around 1-2 million cooked_output events per day.

0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 02:06 PM

Interesting. Is there anything that happened on the day that changed in your infrastructure i.e Splunk upgrades, new hosts, major config changes?

0 Karma
Reply

vicvaughan
Explorer
‎07-19-2016 02:18 PM

No. We've talked to the infrastructure guys and the last patches were before the behavior started by a month or so. So the number of cooked seemed excessively high comparatively.

0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 02:23 PM

Hmm. If there are no Warn or Error messages I don't think that it is anything benign for now. It could be caused by changes in the logging behavior/frequency of a particular log that is being monitored. In my opinion, keep an eye on your environment for more WARN or ERROR messages that would be a clearer indicator that something is wrong.

0 Karma
Reply

craigv_splunk
Splunk Employee
Splunk Employee
‎07-19-2016 01:02 PM

Could you perhaps post the entire event line with source and sourcetype information?

0 Karma
Reply

vicvaughan
Explorer
‎07-19-2016 01:19 PM

yes...

This is typically how it looks:

07-19-2016 15:18:53.994 -0500 INFO  Metrics - group=thruput, name=cooked_output, instantaneous_kbps=0.300961, instantaneous_eps=0.354828, average_kbps=0.397792, total_k_processed=489797.000000, kb=9.330078, ev=11.000000
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...