- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to debug why a universal forwarder is parsing ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to debug why a universal forwarder is parsing files from paths but no data is ingested?
Hi Everyone,
I am trying to monitor xml files from a directory in a certain server. But for some unknown reason/s no data is coming in.
I have tried different path in the inputs.conf assuming that the provided path is not correct.
As I check on the _internal logs, I can see the following events will all the paths I have in my inputs.conf. However, there's still no data ingested.
TailingProcessor - Adding watch on path: <path1>
TailingProcessor - Adding watch on path: <path2>
TailingProcessor - Adding watch on path: <path3>
TailingProcessor - Parsing configuration stanza: monitor:<path1>
TailingProcessor - Parsing configuration stanza: monitor:<path2>
TailingProcessor - Parsing configuration stanza: monitor:<path3>
What could be error in this?
Hope someone could help me with this.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are using Splunk UF 6.3+ then you can use below command on UF to check monitoring status of various files.
$SPLUNK_HOME/bin/splunk list inputstatus
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @harsmarvania57,
Thanks for your comment.
Unfortunately, we do not have access on the server.
Hopefully, we will be given access so we can check.
Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to show us the inputs.conf file, at a minimum. The more/better information that you provide, the better we can help you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @woodcock,
Below is a sample of the inputs.conf
[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\]
whitelist=.*\.xml
disabled = false
index = test_index
sourcetype = test_srctype
[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\*.xml]
disabled = false
index = test_index
sourcetype = test_srctype
I have tried using whitelist but it still does not work.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
