- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- LogFile Troubleshooting - read file issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LogFile Troubleshooting - read file issue
I am working in a single node environment (indexer is also deployment-server)and I am having trouble determining why splunk will not index a log file of mine. I set up the configurations in the serverclass.conf and white-listed a new server "server12". This serverclass was already monitoring multiple other servers. The same log file "D:\Logfile\logs.csv" is being monitored on each of the servers and can be seen in the logs coming from all servers except for "server12". I also see other logs coming from "server12" but I do not see the "D:\Logfile\logs.csv" file.
'
My conclusions thus far:
Because I see logs coming from "server12" I know it is not a network/FW issue. And the permissions on the logfile are the same throughout each of the servers so Splunk has permission to read the file.
My question:
Is there a simple way to troubleshoot this or does anyone know if I am missing anything in my configurations?
Running splunk version : Splunk 6.0 (build 182037)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I see it.
Try this:
[monitor://D:\\Logfilelogs.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Splunkd and splunkweb were restarted along with a
"splunk reload deploy-server"
Serverclass:
[serverClass:SC-admin]
whitelist.0 = server1
whitelist.1 = server2
whitelist.2 = server3
whitelist.3 = server4
whitelist.4 = server5
whitelist.5 = server6
whitelist.6 = server7
whitelist.7 = server8
whitelist.8 = server9
whitelist.9 = server12
[serverClass:SC-admin:app:SC-loghistory-inputs]
$SPLUNK_HOME$/etc/deployment-apps/SC-loghistory-inputs/local/inputs.conf
[monitor://D:\Logfile\logs.csv]
index = loghistory
sourcetype = csv-2
disabled = false
crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try restarting splunkd after the changes?
Can you post your serverclass.conf and also your inputs.conf where you have defined monitor stanzas
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
