User complained that Splunk is not logging data
Data being stopped logging after 1:40 PM on Tue Dec 3rd.
Please help me in resolving the problem.
Hi @pratapa,
there could be many reasons because your Splunk doesn't receive data, you should debug point by point all your architecture:
index=_internal host=your_host
)?Then check the inputs.conf deployed to that server.
Ciao.
Giuseppe
Hi Pratapa,
Can you please provide the type of logs ?
Is it stopped from all the sources or Host or Sourcetype ?
We have to know more about your Splunk environment to offer specific help, but there are some things you can check.
Are the forwarders still running?
Is the data source still producing events?
If the data comes from a monitored file, is the file still present and has permissions allowing Splunk to read it?
Did any network changes happen that might prevent the data from getting to the indexer(s)?
Are there any errors in splunkd.log that might indicate a problem getting data in?