It's a simple Splunk install, just on one server.
On the file & directories data inputs screen, I have set up a continous file input for a given folder.
This input worked the first time: I copied a file in the folder, and it got indexed as expected.
Now I'm copying a file to it again, I can see the "number of files" column incrementing, so it looks like Splunk saw the new file, but the data is not indexed.
Anybody has an idea about what i can do?
Thanks to somesoni, I ran:
index=_internal sourcetype=splunkd component=TailingProcessor '/data/scada/testlogs/capacity/CapacityIndex01-09-2014.txt'
which returned:
01-16-2015 11:19:10.811 +0000 WARN TailingProcessor - Insufficient permissions to read file='/data/scada/testlogs/capacity/CapacityIndex01-09-2014.txt' (hint: Permission denied).
I guess it has to do with Splunk process account not having sufficient priviledges to read in the folder where the file was written.
I created another input in another folder, and copied the same file there, and it worked, the data got indexed.
Thanks to somesoni, I ran:
index=_internal sourcetype=splunkd component=TailingProcessor '/data/scada/testlogs/capacity/CapacityIndex01-09-2014.txt'
which returned:
01-16-2015 11:19:10.811 +0000 WARN TailingProcessor - Insufficient permissions to read file='/data/scada/testlogs/capacity/CapacityIndex01-09-2014.txt' (hint: Permission denied).
I guess it has to do with Splunk process account not having sufficient priviledges to read in the folder where the file was written.
I created another input in another folder, and copied the same file there, and it worked, the data got indexed.
Run this query and check the events for reason.
index=_internal sourcetype=splunkd component=TailingProcessor "YourFileName"
Thanks very much somesoni, I get one line:
01-16-2015 11:19:10.811 +0000 WARN TailingProcessor - Insufficient permissions to read file='/data/scada/testlogs/capacity/CapacityIndex01-09-2014.txt' (hint: Permission denied).
as you are trying same file again and again it will no indexed
use crcSalt in inputs.conf
http://docs.splunk.com/Documentation/Splunk/6.2.1/admin/inputsconf