Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can't search events in newly added "Files&Directories" input

jordans
Path Finder
‎09-07-2011 11:05 AM

I recently added a new input to Files & Directories to parse xml files that log backup operations and set the sourcetype as "backup_files" (the first input to use this sourcetype). After adding the input, the Manager shows that that input sees 375 files, which is the correct number of files in the shared directory.

But I can't see those files anywhere in search. "backup_files" doesn't show up in the Summary, no words within those files result in hits of a search.

What am I missing?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jordans
Path Finder
‎09-07-2011 12:57 PM

https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jordans
Path Finder
‎09-07-2011 12:57 PM

https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎09-07-2011 11:43 AM

I would take a look at https://YOURHOST:8089/admin/services/inputstatus.

(Note this is on the management port 8089, not the splunkWeb port 8000)

Just because the input is saying there are files there doesnt necessarily mean they're getting indexed. The inputstatus endpoint can tell you if they're matching blacklist config, or being flagged as binary etc..

It can also happen sometimes that they're getting indexed, but not into the slice of time you might expect based on what Splunk sees in the events. Double check the timerange you're searching over and expand it to 'all time' if necessary.

0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎09-07-2011 12:48 PM

8089/services/admin/inputstatus/TailingProcessor:FileStatus worked, though.

I see that the regex I used isn't matching the files (even though I tested it in regex tester ...)

0 Karma
Reply
Solved! Jump to solution

jordans
Path Finder
‎09-07-2011 12:02 PM

I am searching by all-time, and the link you have returns 404.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...