- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Monitoring several log files with a specified inde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I am fairly new to splunk, and I am trying to get it to monitor a couple of log files on some app servers.
I have created the apps needed and also created an index. However, when I try to use the search function in Splunk Web and use that index, it is not pulling data.
This is my inputs.conf file:
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host1
[monitor:///tibco/apps/tra/domain/abc/application/logs/855EDI-855EDI.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host2
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host3
[monitor:///tibco/apps/tra/domain/abc/application/logs/*.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host4
When I try:
./splunk list monitor it tells me that these folders are being monitored
I also tried and changed the permissions.
Also when I give this search:
source="/tibco/apps/tra/domain/abc/application/logs/*"
it is actually pulling data, but not when I give index = tibco like it works for my other applications,
Thank you for you help,
Oliver
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a follow up question though and I am sure you can probably help me out again.
The indexer is indexing now data from only $host4, which is very odd since I don't even have any splunk or splunk apps installed on $host4, yet. Only on 1-3.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
check out outputs.conf files on all of your hosts and make sure that 1-3 are configured the same as 4.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, SIr.
I did that and it did help, the indexer is pulling data now.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
