Getting Data In

TCP-SSL is receiving data but events are not getting indexed

livioricciulli
Engager

I am developing and app and everything worked fine for a while. I then tried to package everything under my app default directory including the input.conf:
[tcp-ssl:xxxx]
sourcetype = syslog

[SSL]
rootCA = /opt/splunk/etc/certs/cacert.pem
serverCert = /opt/splunk/etc/certs/splunk.pem
password = xxxxx

I can see the packets coming in the port using tcpdump; so, Splunk is receiving network data but the idexing stopped; the data is diappearing. There are no licensing issues and I am stuck. No errors How do I debug this?

0 Karma
1 Solution

livioricciulli
Engager

Thanks I found the problem. The Splunk timestamp processor was not able to process the <\d+> field of syslog messages. I fixed it with DATETIME_CONFIG = CURRENT in the props.conf file which disables the timestamp processor.

View solution in original post

0 Karma

livioricciulli
Engager

Thanks I found the problem. The Splunk timestamp processor was not able to process the <\d+> field of syslog messages. I fixed it with DATETIME_CONFIG = CURRENT in the props.conf file which disables the timestamp processor.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@livioricciulli - If this is the working solution to your question, please don't forget to click "Accept" in order to close out your question. That way others can easily find it if they're having the same issue. Thanks!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Search you _internal index for err* or warn*

index=_internal log_level=err* OR log_level=warn*

Sometimes its easier to restart splunk, then perform the search looking at last 15 minutes (to reduce the clutter you will find).

If there is an ssl issue it should show up at the time of the restart.

0 Karma

skalliger
SplunkTrust
SplunkTrust

Can you please post your complete inputs.conf and outputs.conf (masked of course) from your app directory and the inputs.conf from your indexer.
This would help.

Skalli

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...