Hi @Yannk,
Had a quick question.
Below is my splunkd.log
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - TailWatcher initializing...
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: batch://$SPLUNK_HOME/var/spool/splunk/...stash_new.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/splunk.version.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/metrics.log.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/var/log/splunk/splunkd.log.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///root/data.
04-13-2016 11:54:45.568 -0700 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
04-13-2016 11:54:45.568 -0700 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Adding watch on path: /opt/splunkforwarder/etc/splunk.version.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Adding watch on path: /opt/splunkforwarder/var/log/splunk.
04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Adding watch on path: /opt/splunkforwarder/var/spool/splunk.
**04-13-2016 11:54:45.568 -0700 INFO TailingProcessor - Adding watch on path: /root/data**.
04-13-2016 11:54:45.568 -0700 INFO TailReader - Registering metrics callback for: tailreader0
04-13-2016 11:54:45.568 -0700 INFO TailReader - Starting tailreader0 thread
04-13-2016 11:54:45.569 -0700 INFO TailReader - Registering metrics callback for: batchreader0
04-13-2016 11:54:45.570 -0700 INFO TailReader - Starting batchreader0 thread
04-13-2016 11:54:45.571 -0700 INFO loader - Limiting REST HTTP server to 1365 sockets
04-13-2016 11:54:45.571 -0700 INFO loader - Limiting REST HTTP server to 1365 threads
04-13-2016 11:54:45.571 -0700 WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:
04-13-2016 11:54:45.597 -0700 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/opt/splunkforwarder/var/log/splunk/searchhistory.log'.
04-13-2016 11:54:45.659 -0700 ERROR TcpOutputFd - Read error. Connection reset by peer
04-13-2016 11:54:45.661 -0700 INFO WatchedFile - Will begin reading at offset=2558565 for file='/opt/splunkforwarder/var/log/splunk/metrics.log'.
**04-13-2016 11:54:50.665 -0700 INFO TailReader - Could not send data to output queue (parsingQueue), retrying...
04-13-2016 11:55:15.392 -0700 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts
04-13-2016 11:55:15.528 -0700 ERROR TcpOutputFd - Read error. Connection reset by peer
04-13-2016 11:55:45.527 -0700 ERROR TcpOutputFd - Read error. Connection reset by peer**
I see that the folder is monitored, but connection is getting reset. I checked out certain other answers and set sendCookedData = true . Even that didn't work. Is there something else I am missing?
Thanks,
Saravana
... View more