We used free enterprise splunk. we import logs into splunk.
Some log files data won't show in splunk
I want to make sure I did right to set up the import.
1) settings --Data --data input -- Files and directories --new --enter file location
The log files are organized into a folder by day and month.
1) do I need to disable the previous month for datainput working.
See the examples: Is my settings are correct?
C:\logs\2014\201410 Constant Value Session default search Disabled | Enable Clone | Delete
C:\logs\2014\201411 Constant Value Session default search Disabled | Enable Clone | Delete
C:\logs\2014\201412 Constant Value Session default 57483 launcher Enabled | Disable Clone
Hi,
Have you add your data file by file or the folder one time?
because you have in your example 3 lines and see the sixth column, app name is different (search and launcher)
C:\logs\2014\201410 Constant Value Session default search Disabled | Enable Clone | Delete
C:\logs\2014\201411 Constant Value Session default search Disabled | Enable Clone | Delete
C:\logs\2014\201412 Constant Value Session default 57483 launcher Enabled | Disable Clone
I think you should have one line
C:\logs Constant Value Session default 57483 search Enabled | Disable Clone
So when you enter the path name be sure to enter the whole folder. Perhaps is this the problem.
here are some suggestions for further reading:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Troubleshooting/Cantfinddata
Well, the cap one is accidently.
If so, you cannot make it accepted? A
And if you accidentally used all capital letters, you can edit your posting to fix it.
please stop using the Answer field to comment. if you have further information about your issue, provide it in your question above.
i PREFER TO GET AN ANSWER INSTEAD SENDING A LINK. i HAVE THAT LINK BUT NOT EVERYTHING NEED TO KNOW IN THE LINK.
CAPS LOCK ISN'T CRUISE CONTROL FOR COOL.
But, the link is the same as the answer, it provides information.
There is no 100% guarantee that any answers here will solve your problem. This is a free community support answers board after all. You want 100% accurate answers, you will need to pay for support.
That being said, the answers provided are the correct ones.
Thank you for your reply but I am new to splunk. I would like to know that will resolve my issue?
I manually set up or disable monthly data input
If you have access to the server, update the inputs.conf like this to have single monitoring stanza for all the folders/subfolders
[monitor://C:\logs\(\d{4})\(\d{6}\*]
disabled = false
followTail = 0
sourcetype = Session
index = main