Splunk Search

Log file not being forwarded / indexed anymore?

nathanlhopkins
Path Finder

As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013

However I can see the log files are still being updated and the data is constantly being added too.

Is my configuration in inputs wrong?

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

Extract from splunkd on forwarder;

05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs.
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.

Appreciate any help or guidance on things to check?

Tags (2)
0 Karma

nathanlhopkins
Path Finder

A found this was due to a lack of understanding of the front end GUI - the data was being consumed as required.

0 Karma

Ayn
Legend

amrit's script for checking input statuses could definitely help you out here: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma

kml_uvce
Builder

can you try like this below and change whitelist...

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server\.html$
disabled = false
crcSalt =
index = crd_index

-Kamal Bisht

0 Karma

kml_uvce
Builder

can you send me splunkd logs from indexer side.

0 Karma

nathanlhopkins
Path Finder

Many thanks, I've checked and those \'s are already there (paste issue)

Any other suggestions?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...