Solved: Upgraded Universal Forwarder, log file no longer m...

gustavomichels · ‎04-10-2014

Hey all,

I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder while on version 4.3.1. The entry in inputs.conf is a simple [monitor://<path to file>], no additional options are used.

I performed an in place upgrade to UF 6.0.2 and I don't get anything from that file indexed anymore. I still get event log entries, it's just that specific file that is not being indexed.

splunkd.log on the host shows the file is being monitored as I see the TailingProcessor entries mentioning the stanza. splunk list monitor shows the file is being monitored.

Any ideas on how to debug this?

Thank you,

gustavomichels · ‎04-10-2014

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

View solution in original post

gustavomichels · ‎04-10-2014

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

Upgraded Universal Forwarder, log file no longer monitored

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life