Solved: oneshot events not in index --- ooops problem solv...

reswob4 · ‎04-21-2017

I'm trying to use oneshot on a Windows HF to test some data. Here is the command and the result:

C:>"Program Files\Splunk\bin\splunk.exe" add oneshot \Tools\1dns.log -index test_dns
Oneshot 'C:\Tools\1dns.log' added

But when I do I search:

index=test_dns

I get no results.

I've repeated the oneshot multiple times.

I found this link: https://answers.splunk.com/answers/41990/how-long-to-wait-after-splunk-add-oneshot-before-doing-sear...

And when I checked the tailing processor page, of the HF, it showed all the other files it had or was continuing to ingest, but not 1dns.log.

I searched the _internal index for that file to see if there were any errors and the one most prevalent is:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

---- Ah, searched on the date in the error above and found all my events.

Back to working to fix my props.conf.

reswob4 · ‎04-21-2017

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

View solution in original post

gmjATredjack · ‎12-02-2019

Also be sure to check the time range of your search. If you're seeing nothing, and no errors, try "All TIme"

reswob4 · ‎04-21-2017

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

aaraneta_splunk · ‎04-21-2017

@reswob4 - It looks like you're attempting to share how you found a solution to your issue, right? If so, can you please put how you found your solution in an a separate answer below and "Accept" it? That way others can easily find it if they are running into the same problem. Thanks for sharing the with community!

adonio · ‎04-21-2017

Hey reswob4,
try this: from C:\Program Files\Splunk\bin\
run this: splunk add oneshot -source \Tools\1dns.log -index test_dns

make sure the file in the exact full path, you probably need to specify C:\directory\directory\path\to\file
or copy paste from the windows explorer
example from docs here:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorfilesanddirectoriesusingtheCLI#Exampl...

hope it helps

oneshot events not in index --- ooops problem solved

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM