Solved: Re: Is there an internal log in Splunk with the nu...

jhigginsmq · ‎12-13-2016

Hi.

We have recently been inadvertently sending some events to the null queue, due to a new data source that matches a greedy regex pattern specified in transforms.conf on the indexer. We can correct the regex easily, but as I understand it, the events are lost for good as there is no copy of the raw data anywhere.

My question: is there maybe a log in Splunk that will advise on the number of events sent to the null queue? It would be good to know the fraction of incoming events being discarded, although some of these will be from a legitimate, intended match to the regex in transforms.conf.

twinspop · ‎12-13-2016

index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd

View solution in original post

somesoni2 · ‎12-13-2016

Give this a try

index=_internal sourcetype=splunkd source=*metrics.log group=pipeline processor=nullqueue | stats sum(executes) as NullQueueInvocations

twinspop · ‎12-13-2016

index=_internal component=metrics processor=nullqueue group=pipeline sourcetype=splunkd

jhigginsmq · ‎12-14-2016

Thanks guys, I used up my '2 posts a day' yesterday so just responding now... I've never really looked at metrics.log before but been reading up on it, looks to be quite useful, cheers.

koshyk · ‎12-13-2016

Are you dropping at "heavy forwarders" or at "indexers" ?

jhigginsmq · ‎12-13-2016

Hi Koshyk, this would be at the indexers.

Is there an internal log in Splunk with the number of events that were sent to null queue?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases