hi..
in one of my windows server the universal forwarder stopped unexpected. found and restarted the universal forwarder after a day, but the universal forwarder sending the logs from the universal forwarder start time, what about my previous logs i mean 1 day logs
should i have to configure any attribute to get this done
anyone please suggest
Many Thanks
I'm getting the same problem. Splunk Universal Forwarder on Linux, accessing file data. When the forwarder stops working, we restart the forwarder and it ingests data again, but not for that entire gap that it was down.
Aha - Found it in apps/search:
-bash-3.2$ more inputs.conf
[monitor:///logs/remote/.../*.log]
disabled = false
index = issec
sourcetype = syslog
Great. Either comment the entry (put # in front of each line) OR set disabled = true
. Restart Splunk forwarder after making the change and it should be sending data for this log file to indexers anymore.
No, here is the entire contents of the inputs.conf:
-bash-3.2$ more inputs.conf
[default]
host = tuslplog01
It's weird... This is a syslog server, but the data is file based, but I can't see where the inputs are defined...
Run below command and see what all different inputs.conf you have. (assuming UF is installed /opt/splunkforwarder directory, update if it's different)
/opt/splunkforwarder/bin/splunk cmd btool inputs list --debug
You don't use ignoreOlderThan
in your inputs stanza, right?
Good point.
What type of logs are showing gaps, file monitoring, scripted inputs etc?? If it's file monitoring, then check, when the forwarder started working again, if the log files did contain the data which is not been shown. If the files are rolled over, they may not get monitored. If it's a scripted, scheduled inputs, they there won't be any backfill and it'll show the gaps.
Hello
By default the UF should continue where it left before stopping. This is the default behaviour, nothing to configure to get this.
What kind of inputs are you using? Is the missing data persisted on the server, so UF can read it? Maybe it has been rolled before the restart of the UF...
Regards