Are you searching for events and not finding them or looking at a dashboard and seeing "No result found"? Check Splunk Nozzle app logs. To view the nozzle's logs running on VMware Tanzu do the following: Log in as an admin via the CLI. Target the org created by the tile. View the recent app Splunk Nozzle logs (the version number installed by the tile will vary). Alternatively, you can stream the app logs as they're emitted. Here are a few common errors and possible resolutions:

Search app logs of the Nozzle to confirm correct behavior: A correct setup logs a start message with configuration parameters of the Nozzle logged as a JSON object, for example: Search app logs of the Nozzle for any errors: Errors are logged with corresponding message and stacktrace.

As the Splunk Firehose Nozzle sends data to Splunk via HTTPS using the HTTP Event Collector, it is also susceptible to any network issues across the network path from point to point. Run the following search to determine if Splunk has indexed any events indicating issues with the HEC Endpoint.

If the nozzle emits the 'dropped events' warning saying that downstream is slow, then the network or Splunk environment might needs to be scaled. (eg. Splunk HEC receiver node, Splunk Indexer, LB etc) Run the following search to determine if Splunk has indexed any events indicating such issues.

If "Event Tracing" is enabled, extra metadata will be attached to events. This allows searches to calculate the percentage of data loss inside the Splunk Firehose Nozzle, if applicable. Each instance of the Splunk Firehose Nozzle will run with a randomly generated UUID. The query below will display the message success rate for each UUID (Please update the index value based on your nozzle configuration).

Checkout Troubleshoot HTTP Event Collector for troubleshooting issues related to HTTP Event Collector. Checkout Splunk Answers. Using the forum can save you time.