As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013
However I can see the log files are still being updated and the data is constantly being added too.
Is my configuration in inputs wrong?
[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
Extract from splunkd on forwarder;
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs.
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.
Appreciate any help or guidance on things to check?
A found this was due to a lack of understanding of the front end GUI - the data was being consumed as required.
amrit's script for checking input statuses could definitely help you out here: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/
can you try like this below and change whitelist...
[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server\.html$
disabled = false
crcSalt =
-Kamal Bisht
can you send me splunkd logs from indexer side.
Many thanks, I've checked and those \'s are already there (paste issue)
Any other suggestions?