Hello Everyone,
I am trying to do some troubleshooting on our inputs.conf, specifically the forwarder is pulling in logs to the indexer correctly. However, the issue I am experiencing is that I have modified the inputs.conf on the forwarder to pull in xml files in a new location, but they are not showing up.
Is there a way I can debug the inputs.conf and see what files it is pulling in / what is being blacklisted and why through the command line interface?
Thanks in advance !
--Asif Ahmad
Asif.Ahmad@ni.com
Thanks for the replies guys!
Genti -- I am not really seeing anything related to my specific inputs.conf change. Is there something (stanza) I need to look at specifically?
Thanks.
--Asif
you mentioned: "I have modified the inputs.conf on the forwarder to pull in xml files in a new location"
This means that there should be a stanza in your inputs.conf about these xml files. As such, you SHOULD definitely see these when you do a btool on inputs.
Did you do this on the forwarder side?
This (below) should tell you all you need to know about your inputs.
./splunk cmd btool inputs list --debug
Also, you might want to set tailingprocessor in debug mode (log.cfg) and check what the logs (splunkd.log) say about the particular input you are looking for...
Amrit's input processor script may help, http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
The great part about using this, is that it will actually tell you the files if found under the monitor path, and the results of why it isn't indexing them if that's the case.