The monitor stanza contains the proper amount of slashes.

 [monitor://(path to file)] 

So in Linux you end up with the triple slash.

 [monitor:///path/to/file]

Hi jethompson, thanks for your effort on this, hey I had checked the inputs.conf stanza and there are other log parameters configured to be monitored from the same node under different path and we could see those data in splunk.

Path to monitor : /opt/alfrxxx4.2/tomcat/logs/xxxx_access.log
inputs.conf stanza
[monitor:///opt/alf*/tomcat/logs/_access.log]
sourcetype = tomcat:web:access
index = websphere

this stanza is working fine.
Similarly under the same node we to monitor another log data from this location "opt/solr-tomcat/logs/solr_access.logs" so I had written a stanza like this to get this data into splunk but we are not getting the data in splunk.

Inputs.conf :
[monitor:///opt/solr-tomcat/logs/solr_access.logs]
index = websphere
sourcetype = tom:web:solr

kindly guide me how to fix this issue.

How to check the permissions?

If required permissions are not there then how to give the permission?

Hi
the easiest way is just log to this server and then do sudo -u <UF User> tail -10 <path to log file>
Of course this expect that there are events on this file. If not you could use also sudo -u <UF User> ls -laF <path to file>. If you can ls the file you probably have also the read access (not 100% sure) to this file.
r. Ismo

Hi jkat, thanks for your effort on this, Yes splunkd is running fine in this node, as we could see the data for other two logs source which is configured from this node.

The below stanza is also configured in inputs.conf along with another stanza which is not fetching the data.

Path to monitor : /opt/alfrxxx4.2/tomcat/logs/xxxx_access.log
inputs.conf stanza
[monitor:///opt/alf*/tomcat/logs/_access.log]
sourcetype = tomcat:web:access
index = websphere

[monitor:///opt/solr-tomcat/logs/solr_access.logs] -- > Not fetching the data in splunk
index = websphere
sourcetype = tom:web:solr
Path where log source resides : opt/solr-tomcat/logs/solr_access.logs

I had executed the query

index="_internal" "solr_access.logs*" host ="xxxx" log_level=INFO but getting no result found.

Kindly guide me how to fix this issue.

I didn't say log_level=info

Check this search for more details:

index=_internal solr_access.logs host=NameOfServer

Hi Jkat, thanks for your effort on this, I had checked the parameter given by the user and found a typo error instead of "solr_access.log" we trying to capture "solr_access.logs" . So corrected it and splunk started getting the data into it.

In-correct (typo error)
Inputs.conf :
[monitor:///opt/solr-tomcat/logs/solr_access.logs]
index = websphere
sourcetype = tom:web:solr

corrected stanza

Inputs.conf :
[monitor:///opt/solr-tomcat/logs/solr_access.log]
index = websphere
sourcetype = tom:web:solr

thanks

Hi Richgalloway, thanks for your effort on this, Yes we have installed the UF in this node and I had checked the inputs.conf stanza, there are other log parameter configured to be monitored from the same node under different path and we could see those data in splunk.

Path to monitor : /opt/alfrxxx4.2/tomcat/logs/xxxx_access.log
inputs.conf stanza
[monitor:///opt/alf*/tomcat/logs/_access.log]
sourcetype = tomcat:web:access
index = websphere

this stanza is working fine.
Similarly under the same node we to monitor another log data from this location "opt/solr-tomcat/logs/solr_access.logs" so I had written a stanza like this to get this data into splunk but we are not getting the data in splunk.

Inputs.conf :
[monitor:///opt/solr-tomcat/logs/solr_access.logs]
index = websphere
sourcetype = tom:web:solr

kindly guide me to fix this issue.