windows splunk forwarder not sending data

muhammad4 · ‎02-26-2014

My Server monitors 4 0ut of 5
The one below does not get monitored:

C:\Windows\System32\LogFiles\HTTPERR\httperr1.log

inputs.conf referring to this instance:

[monitor://C:\Windows\System32\LogFiles\HTTPERR]
disabled = false
followTail = 0
host = iis.windowsservername
sourcetype = iis_error
blacklist = \.gz$

muhammad4 · ‎02-26-2014

Thank you. dam spaces 🙂

thanks again for your response

kristian_kolb · ‎02-26-2014

There are lots of possible reasons for your events not being seen where you expect them.

Start here:

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/Cantfinddata

http://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Apart from that, it might be a good idea to see what the forwarder thinks it is doing with the file by querying this url;

https://your_forwarder:8089/services/admin/inputstatus/TailingProcessor:FileStatus

You might also want to investigate this setting in inputs.conf on the forwarder.

alwaysOpenFile = [0|1]
 * Opens a file to check whether it has already been indexed.
 * Only useful for files that do not update modtime.
 * Only needed when monitoring files on Windows, mostly for IIS logs.
 * This flag should only be used as a last resort, as it increases load and slows down indexing.
 * Defaults to 0.

/K

windows splunk forwarder not sending data

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability