Getting Data In

Upgraded Universal Forwarder, log file no longer monitored

gustavomichels
Path Finder

Hey all,

I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder while on version 4.3.1. The entry in inputs.conf is a simple [monitor://<path to file>], no additional options are used.

I performed an in place upgrade to UF 6.0.2 and I don't get anything from that file indexed anymore. I still get event log entries, it's just that specific file that is not being indexed.

splunkd.log on the host shows the file is being monitored as I see the TailingProcessor entries mentioning the stanza. splunk list monitor shows the file is being monitored.

Any ideas on how to debug this?

Thank you,

0 Karma
1 Solution

gustavomichels
Path Finder

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

View solution in original post

0 Karma

gustavomichels
Path Finder

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...