Why is a specific log file not getting forwarded w...

BT_Neophyte · ‎04-17-2015

I'm having an issue where a specific log file is not forwarding, but others in the same directory and Splunk app are forwarding.

The files in question are:
server.log
server.log.0

The .0 is just where the server.log rolls over to so I don't care about forwarding that as it is just stale and duplicate data. I have created an inputs.conf file for this directory and simplified it just monitor "server*".

My issue is that server.log.0 is showing up in Splunk whereas server.log is NOT. If I change the inputs .conf to specifically look for server.log then nothing shows up in Splunk.

Both files have the same owner and read/write permissions. What could be causing this? It seems like all variables are equal but I'm getting different results.

Here is the inputs.conf file in question:
[monitor:///api/logs/server.log]
sourcetype=serverapi_logs
index=api

[monitor:///api/logs/error.log]
sourcetype=errorrapi_logs
index=api

And an ls on the directory:
error.log error.log.0 README.md server.log server.log.0

masonmorales · ‎04-17-2015

Try restarting your splunk forwarder to see if it picks up server.log. If that doesn't help, grep for server.log in $SPUNK_HOME/var/log/splunk/splunkd.log and see if there are any errors.

masonmorales · ‎04-17-2015

Could you post your inputs.conf please?

BT_Neophyte · ‎04-17-2015

Added more info above

juvetm · ‎04-17-2015

were you Specify the new source type in forwarder inputs

juvetm · ‎04-17-2015

the problem is not the permission

Why is a specific log file not getting forwarded when others in the same directory do?

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability