Getting Data In

Cant find data added through inputs.conf

vaishnavi07
Explorer

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. I added the below code to inputs.conf and restarted the server but i dont find any data in my index.

[monitor://C:\Windows\WindowsUpdate.log]
disabled=0
index=windowsupdate_test
sourcetype=windowsupdate

Does anyone know what may be the issue here? Thanks in advance.

Tags (1)
0 Karma

thambisetty
SplunkTrust
SplunkTrust

Hi Vaishavai07,

May I know Operating system of the forwarder splunk instance and Receiver splunk instance ( Indexer)?,hi vaishnavi,
may I know from which OS you want to get the data in? OR OS of the forwarder?
on which OS u have installed splunk server? OR OS of the Indexer(Receiver)?

OS - operating SYstem

————————————
If this helps, give a like below.
0 Karma

vaishnavi07
Explorer

Splunk is installed on linux machine. I am only trying to add the file by adding stanza in inputs.Conf but it is showing error as pathbis not absolute.

0 Karma

MuS
SplunkTrust
SplunkTrust

You cannot add a windows path as input on a lunix server. If you just want to index the file, copy it over to this directory on the Splunk Indexer $SPLUNK_HOME/var/spool/splunk everything in there will be indexed automatically.

splunker12er
Motivator

Did you search for all time?
Did you see any errors at splunkd.log ?
Are you using universal forwarder ?
- Check for the outputs.conf file for the correct IP of the indexer your are forwarding .

0 Karma

vaishnavi07
Explorer

Yes i searched for all time. I only need to add data into my server. For now i am not forwarding the data to any othere server.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vaishnavi07,

there is a long list of possible issues here:

  • does the user running splunk have read rights on this file?
  • can you reach the index server from the UF (if you're using an UF, which is an universal forwarder)?
  • did you check on the source, where you changed the inputs.conf, in $SPLUNK_HOME\var\log\splunk\splunkd.log for any errors?
  • did you do an all time search on the index=windowsupdate_test ?
  • do you have the permission do search this index?
  • does this index exist?
  • typos anywhere?
  • .......

hope this helps to get you started

cheers, MuS

vaishnavi07
Explorer

Yes am running on linux. Is it not the format?

0 Karma

vaishnavi07
Explorer

it is located in $SPLUNK_HOME$/etc/system/local. I checked for the typos but everything is fine.Whatever i have posted in the question is what i have given there.

0 Karma

MuS
SplunkTrust
SplunkTrust

run $SPLUNK_HOME\bin\splunk cmd btool --debug inputs list monitor and check if your monitor stanza is listed

0 Karma

vaishnavi07
Explorer

When i run the command it shows that $SPLUNK_HOME should be set. But when i checked in splunk-launch.conf the SPLUNK_HOME is set correctly.

0 Karma

vaishnavi07
Explorer

When i check splunkd.log it is showing error as path is not aboslute.

0 Karma

jrodman
Splunk Employee
Splunk Employee

For a monitor line such as
[monitor://C:\Windows\WindowsUpdate.log] you will get an error that it is not absolute if you are running on UNIX. Are you running on UNIX?

0 Karma

vaishnavi07
Explorer

Hi Jrodman. Can you tell me the format as to how i should provide the path?

0 Karma

vaishnavi07
Explorer

When i try adding the same file through UI page it is working. But when i add it through inputs.conf i am not getting the data.

0 Karma

vaishnavi07
Explorer

Yes that is fine. Even when i add new data it is not getting added. Anything through inputs.conf is not adding.

0 Karma

MuS
SplunkTrust
SplunkTrust

where is this inputs.conf located? check for typos in that file

0 Karma

MuS
SplunkTrust
SplunkTrust

you are aware the fact, that once indexed data will not be re-indexed by Splunk simply because you add once again using a different method? You have to clean the so called fishbucket first, this is where Splunk saves what already was indexed.

0 Karma

vaishnavi07
Explorer

The index name is also not there in the splunkd.log. Does this mean there are no errors or it dint add the data at all?

0 Karma

MuS
SplunkTrust
SplunkTrust

did you created an index called windows update_test?

0 Karma

vaishnavi07
Explorer

Yes i have read rights on the file. I checked in splunkd.log and there are no entries in it. And also i did an All time search on the index. I have admin rights on the server and i have write permissions on this index.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...