The error appears in the splunkd.log every few minutes and no data is being ingested into Splunk; What does this mean?
This error inhibits Splunk from ingesting the incident data into the index as needed, as it cannot categorize the data by its respective timeframe. Chances are the error will be accompanied by a specific timeframe that will match the value noted under the "last_call" key in the cl_polling_incidents.ini file.
One possible solution in troubleshooting attempts is to modify the file:
{path to splunk}/splunk/etc/apps/cloudlock/cache/cl_polling_incidents.ini
Editing it's "last_call" parameter to ensure it matches a format such as:
last_call = YYYY-MM-DDTHH:mm:ss.422103+00:00
This will force the data ingestion process to read from that value and attempt indexing it from the date noted. Monitoring the splunkd.log will reflect the changes as needed:
{path to splunk}/splunk/var/log/splunk/splunkd.log
Comments
0 comments
Please sign in to leave a comment.