Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't search events in newly added "Files&Directories" input

jordans
Path Finder
‎09-07-2011 11:05 AM

I recently added a new input to Files & Directories to parse xml files that log backup operations and set the sourcetype as "backup_files" (the first input to use this sourcetype). After adding the input, the Manager shows that that input sees 375 files, which is the correct number of files in the shared directory.

But I can't see those files anywhere in search. "backup_files" doesn't show up in the Summary, no words within those files result in hits of a search.

What am I missing?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jordans
Path Finder
‎09-07-2011 12:57 PM

https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jordans
Path Finder
‎09-07-2011 12:57 PM

https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎09-07-2011 11:43 AM

I would take a look at https://YOURHOST:8089/admin/services/inputstatus.

(Note this is on the management port 8089, not the splunkWeb port 8000)

Just because the input is saying there are files there doesnt necessarily mean they're getting indexed. The inputstatus endpoint can tell you if they're matching blacklist config, or being flagged as binary etc..

It can also happen sometimes that they're getting indexed, but not into the slice of time you might expect based on what Splunk sees in the events. Double check the timerange you're searching over and expand it to 'all time' if necessary.

0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎09-07-2011 12:48 PM

8089/services/admin/inputstatus/TailingProcessor:FileStatus worked, though.

I see that the regex I used isn't matching the files (even though I tested it in regex tester ...)

0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎09-07-2011 12:02 PM

I am searching by all-time, and the link you have returns 404.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...