Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to debug why a universal forwarder is reading all log files except one?

darthsplunk
Explorer
‎10-23-2014 08:50 AM

Hello,

I have configured inputs.conf on a universal forwarder. The file contains around 20 entries for log files, however one of them is not being read by Splunk.

Within splunkd I can see:

10-23-2014 14:59:17.762 +0100 INFO  TailingProcessor - Parsing configuration stanza: monitor://C:\my\dir\logfile.log.

I would then expect to see:

TailingProcessor - Adding watch on path for file <…>

and

WatchedFile - Will begin reading at offset=61873 for file <…>

But I never see this. I have performed the following debug steps:

How can I debug this further? The universalforwarder is sending data from other log files on this host ok so it isn't a connection issue.

Any help is appreciated.

Thanks,
DS

Reply
1 Solution
Solved! Jump to solution
Solution

darthsplunk
Explorer
‎02-24-2015 08:20 AM

It turned out to be an issue with other entries in the inputs.conf where wildcards were in use. These were corrected and the inputs work as expected. Thanks all.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-26-2017 02:26 AM

I have same problem. Plz let's show me how do you fix it. thanks

0 Karma
Reply
Solved! Jump to solution
Solution

darthsplunk
Explorer
‎02-24-2015 08:20 AM

It turned out to be an issue with other entries in the inputs.conf where wildcards were in use. These were corrected and the inputs work as expected. Thanks all.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-23-2014 10:07 PM

Adding watch on path is for the common parent of the monitored locations. Do you have monitors on directories that are above that location, such as c:\my or c:\my\dir? What is the set of directories that you see for these lines? What is the set of monitor stanzas that you have?

Do you have any messages relating to logfile.log in splunkd.log at all?

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-23-2014 02:56 PM

You should search the _internal index for any reference to the log file name in question. Some issues I have seen in the field are: thruput set to low (forwarder is not able to consume the log before it rolls), permissions issues (splunk doesn't have read access to the log file.)

What is the version of Splunk forwarder in question?

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-23-2014 09:29 AM

Check file level permissions and make sure the user splunk is running as can read/execute on those files.

Additionally, is this a distributed environment? If so, what does your outputs.conf look like?

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...