Solved: UF is not forwarding the JSON data to indexers

newsplunker1 · ‎04-22-2020

Hello,

I configured the UF to monitor a JSON file in a specific directory but its not forwarding it to the indexers

the output is working properly as there are files being sent to indexers

here is my input file
[monitor://C:\temp*.json]
index=test1
sourcetype=test_styp

my props
[test_styp]
INDEXED_EXTRACTIONS =json
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N+%4N
TIME_PREFIX="observedTime":"
MAX_TIMESTAMP_LOOKAHEAD=28

the splunk logs is stating the following " Adding watch on path splunk [monitor://C:\temp*] but nothis being ingested

i tried running this SPL search on my SH to check if something related to JSON extraction is but nothing returned

test_styp | rex "incoming=\"(?.+)\", transformed=" | spath = incoming

Could you please help ?

newsplunker1 · ‎04-28-2020

The file format was the issue - I also uploaded the file into splunk instance and generates the props file then copied it to where the UF is installed

View solution in original post

newsplunker1 · ‎04-28-2020

The file format was the issue - I also uploaded the file into splunk instance and generates the props file then copied it to where the UF is installed

newsplunker1 · ‎04-23-2020

So i got the file now ingested into indexers (There was something wrong with the file format) but im having problems extracting the JSON fields properly . im not getting all of the lines .

Here is my props file now

[test]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Structured
disabled = false
pulldown_type = true

richgalloway · ‎04-24-2020

Please post a new question showing the original data and what is indexed.

---
If this reply helps you, Karma would be appreciated.

manjunathmeti · ‎04-22-2020

1. If temp is directory then monitor should be:

 [monitor://C:\temp\*.json]

2. If not, then check user running splunk forwarder service has access to C:\temp*.json.

3. Search the data with index name.

index=test1 sourcetype=test_styp

newsplunker1 · ‎04-23-2020

Thanks Manjunath,

I actually have it that way with the temp*.json . And i tried the full syntax ( index,sourcetype) , nothing changed. I checked the user access and has a full access to that path.

PavelP · ‎04-22-2020

Hello @newsplunker1

can you check that your monitor stanza includes disabled = 0? If you don't set it to 0 (zero), then it is disabled by default:

disabled = [0|1]
* Whether or not the event collector input is active.
* Set this setting to "1" to disable the input, and "0" to enable it.
* Default: 1 (disabled).

newsplunker1 · ‎04-23-2020

Thanks Pave - Did that but no changes

PavelP · ‎04-23-2020

Have you restarted splunk?

newsplunker1 · ‎04-23-2020

Yes i restarted after making the changes . I keep seeing this "TailingProcessor - Adding watch on path: C:\temp\ . so to me , its able to see the path but not able to read it ? if so , the splunk account has access to that path , so i dont know whats going on

PavelP · ‎04-23-2020

run this query in CMD (adjust the splunk path as needed):

C:\programfiles\splunkforwarder\bin\splunk.exe    _internal call /services/admin/inputstatus/TailingProcessor:FileStatus

newsplunker1 · ‎04-23-2020

So i got the file now ingested into indexers (There is something wrong with the file format) but im having problem extracting the JSON fields properly .

PavelP · ‎04-23-2020

Hello @newsplunker1

glad you worked it out!

Please create a new question, so more people can see it and help!

richgalloway · ‎04-22-2020

Search for index=test1 sourcetype=test_styp to see if you find anything. Searches should always specify an index name.
Verify Splunk can read the files. Run splunk list monitor on the UF to see if the file is really being monitored.

---
If this reply helps you, Karma would be appreciated.

newsplunker1 · ‎04-23-2020

Thanks rich,
I tried that but nothing returned - i tried the splunk list command and showed no directory is being monitored which is weird because i have other directories working properly .

UF is not forwarding the JSON data to indexers

1. If temp is directory then monitor should be:

2. If not, then check user running splunk forwarder service has access to C:\temp*.json.

3. Search the data with index name.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!