Getting Data In

Why is splunk not indexing new files in monitered folder?

jameshgibson
Path Finder

This is on a Windows box to a windows network location. I have set up an input on a folder located on a network drive with the following in my inputs.conf

[monitor://\\myserver\tempfolder$\Logs\logfileprefix*]
disabled = false
followTail = 0
host = myserver
sourcetype = my-source-type
index = main

However no logs are getting indexed. I have already checked that the splunk account can access this folder.

EDIT 2: In the splunk management page you can see that it has found hundreds of files to index. But they cannot be found when searching.

EDIT: I can index the files using splunks oneshot command

splunk add oneshot "\\myserver\tempfolder$\Logs\logfileprefix.log" -sourcetype "my-source-type" -index "main" -host "%host%"

Tags (3)
1 Solution

jameshgibson
Path Finder

turns out this was nothing to do with any of the characters or permissions. For some reason the ending of logfileprefix* was causing the problem (despite working on non network folders). I swapped this to use a whitelist instead...which didn't work. Finally I added a blacklist which did.

The final working config looks similar to:

[monitor://\\myserver\tempfolder$\Logs]
disabled = false
followTail = 0
sourcetype = mysourcetype
whitelist =
blacklist = (something|BLAH\-[0-9]+)
index = tmp

View solution in original post

0 Karma

jameshgibson
Path Finder

turns out this was nothing to do with any of the characters or permissions. For some reason the ending of logfileprefix* was causing the problem (despite working on non network folders). I swapped this to use a whitelist instead...which didn't work. Finally I added a blacklist which did.

The final working config looks similar to:

[monitor://\\myserver\tempfolder$\Logs]
disabled = false
followTail = 0
sourcetype = mysourcetype
whitelist =
blacklist = (something|BLAH\-[0-9]+)
index = tmp

0 Karma

yannK
Splunk Employee
Splunk Employee

Check if your file have a static header, and are skipped because they are considered as duplicates. Test by adding a comment on the first line, and look at the crc options in inputs.conf

yannK
Splunk Employee
Splunk Employee

ok, so this is an input misconfigured, or a permission issue.
Or a forwarding issue. (to check if the forwarding if working for other files , search on the indexer for index=_internal host=myfowarder)

0 Karma

season88481
Contributor

I have the same problem. So I add a fake header on my new files. And Splunk start ingesting the file!! Thanks for your tips!!!

0 Karma

jameshgibson
Path Finder

the files not indexed are completely new with a different name and timestamp etc. so I dont think this is the problem.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi jameshgibson

does the account running splunkd have network access? By default this is not allowed for system services, so you have to enable this first.

cheers,
MuS

jameshgibson
Path Finder

gave changing the user account a bash, but no change unfortunatly

0 Karma

MuS
SplunkTrust
SplunkTrust

found this one, where the solution was to use a different user to run splunk -> http://splunk-base.splunk.com/answers/4614/how-do-i-monitor-a-unc-path

0 Karma

MuS
SplunkTrust
SplunkTrust

ok then quick and dirty test, use the unc path without $ and see if it works. If yes; you can file a case and ask support how this must be done with a hidden unc share

0 Karma

jameshgibson
Path Finder

I saw that but from the answer I can't see anything he changed to fix it. Also the answer directly below seems to suggest that it is not the case.

0 Karma

MuS
SplunkTrust
SplunkTrust

this is related to authentication between search heads and search peers and not file monitoring -> http://splunk-base.splunk.com/answers/27523/splunkdlog-denied-session-token-for-user-splunk-system-u...
but check this out http://splunk-base.splunk.com/answers/58727/unc-path-with-sign looks like the $ is your problem

0 Karma

jameshgibson
Path Finder

getting a lot of warnings for: 01-11-2013 10:00:43.134 +0000 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user

0 Karma

MuS
SplunkTrust
SplunkTrust

do you get any errors in splunkd.log?

0 Karma

jameshgibson
Path Finder

Good idea but I assume that as splunk oneshot works then it must be able to access it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...