- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Monitoring several log files with a specified inde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I am fairly new to splunk, and I am trying to get it to monitor a couple of log files on some app servers.
I have created the apps needed and also created an index. However, when I try to use the search function in Splunk Web and use that index, it is not pulling data.
This is my inputs.conf file:
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host1
[monitor:///tibco/apps/tra/domain/abc/application/logs/855EDI-855EDI.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host2
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host3
[monitor:///tibco/apps/tra/domain/abc/application/logs/*.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host4
When I try:
./splunk list monitor it tells me that these folders are being monitored
I also tried and changed the permissions.
Also when I give this search:
source="/tibco/apps/tra/domain/abc/application/logs/*"
it is actually pulling data, but not when I give index = tibco like it works for my other applications,
Thank you for you help,
Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a follow up question though and I am sure you can probably help me out again.
The indexer is indexing now data from only $host4, which is very odd since I don't even have any splunk or splunk apps installed on $host4, yet. Only on 1-3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check out outputs.conf files on all of your hosts and make sure that 1-3 are configured the same as 4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, SIr.
I did that and it did help, the indexer is pulling data now.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
