Solved: Upgraded Universal Forwarder, log file no longer m...

gustavomichels · ‎04-10-2014

Hey all,

I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder while on version 4.3.1. The entry in inputs.conf is a simple [monitor://<path to file>], no additional options are used.

I performed an in place upgrade to UF 6.0.2 and I don't get anything from that file indexed anymore. I still get event log entries, it's just that specific file that is not being indexed.

splunkd.log on the host shows the file is being monitored as I see the TailingProcessor entries mentioning the stanza. splunk list monitor shows the file is being monitored.

Any ideas on how to debug this?

Thank you,

gustavomichels · ‎04-10-2014

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

View solution in original post

gustavomichels · ‎04-10-2014

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

Upgraded Universal Forwarder, log file no longer monitored

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!