- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Sourcetype="something" returns no results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a very simple scripted input which calls a .cmd file and in turn calls a .ps1 file. That PS1 file does a test-connection against a bunch of servers and returns the response time to the console and therefore Splunk. This is passed into a sourcetype called "ping". This has been working fine for about 2 weeks but last night at exactly midnight I stopped getting results in my searches for sourcetype="ping". You can see that the events just stop in the screenshot below:
http:// nov.imghost.us/cDKu.png
-I've checked that the script still returns results when run manually
-Splunk.log shows that the script is being run and has a sensible response time
-I tried passing the results into a new sourctype, eg ping_test
The weird thing is that if I go to the summary page in the search app and watch the "ping" sourcetype it's count and "last update" timestamp keep incrementing suggesting that Splunk is receiving the data, it just isn't being returned by the search.
Thanks in advance 🙂
Edit: I forgot to mention that we're on V4.3, build 115073
The sourcetype's stanza in props.conf is as follows:
[ping]
CHECK_FOR_HEADER = True
CHARSET=AUTO
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm about 90% sure this has to do with improper timestamp recognition. Yesterday was October 31st, today is November 1st and my guess is if you search in Splunk for things happening on January 11th (11/1 or 1/11 depending on which date system you use) you will find your missing events. Solution is to set a TIME_FORMAT in props.conf for your sourcetype where you tell Splunk how to correctly interpret the timestamps it finds in your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm about 90% sure this has to do with improper timestamp recognition. Yesterday was October 31st, today is November 1st and my guess is if you search in Splunk for things happening on January 11th (11/1 or 1/11 depending on which date system you use) you will find your missing events. Solution is to set a TIME_FORMAT in props.conf for your sourcetype where you tell Splunk how to correctly interpret the timestamps it finds in your events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TIME_FORMAT was the answer
thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That makes sense as I would guess that the script was added after 12th October, eg after a date when Splunk could mix up days and months. I'll look into that - thanks for the really quick response!
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
