Getting Data In

cannot get data from directory path

jsharvina
New Member

i need to index a bunch of xml logs that have an extension of .stats

i was able to just upload one of them from the same network location, and splunk indexed it just fine. but it refuses to index the lot of them form the path. it doesn't come up with any errors, just doesn't add them to the index.

i have tried J:\jobs\2010-06*.stats and J:\jobs\2010-06\

please help.

thanks,

jane

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

Two thoughts.

1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)

2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN

How did you get the first file to load?

View solution in original post

0 Karma

Lowell
Super Champion

Two thoughts.

1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)

2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN

How did you get the first file to load?

0 Karma

jsharvina
New Member

mystery solved - it was the fact that the splunk service was running under local user. changing it to a domain account (using the same username and password) made all the logs pile into the index. phew 🙂

0 Karma

jsharvina
New Member

1) the beginning and end characters are not the same for as long as 256 chars

2) searching through internal splunk errors revealed an access is denied error to that directory. i've checked all the permissions though and they're not protected. seems like that's where the issue is though. still remains strange that i was able to import one log from the same location just fine (that was also done through files and directories, but using upload a local file [even though i pointed it to a network location] as opposed to pointing to a path.

still a mystery

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...