topic oneshot events not in index --- ooops problem solved in Deployment Architecture

oneshot events not in index --- ooops problem solved

reswob4 — Fri, 21 Apr 2017 18:30:30 GMT

I'm trying to use oneshot on a Windows HF to test some data. Here is the command and the result:

C:>"Program Files\Splunk\bin\splunk.exe" add oneshot \Tools\1dns.log -index test_dns
Oneshot 'C:\Tools\1dns.log' added

But when I do I search:

index=test_dns

I get no results.

I've repeated the oneshot multiple times.

I found this link: https://answers.splunk.com/answers/41990/how-long-to-wait-after-splunk-add-oneshot-before-doing-searches.html

And when I checked the tailing processor page, of the HF, it showed all the other files it had or was continuing to ingest, but not 1dns.log.

I searched the _internal index for that file to see if there were any errors and the one most prevalent is:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

---- Ah, searched on the date in the error above and found all my events.

Back to working to fix my props.conf.

Re: oneshot events not in index --- ooops problem solved

adonio — Fri, 21 Apr 2017 18:36:53 GMT

Hey reswob4,
try this: from C:\Program Files\Splunk\bin\
run this: splunk add oneshot -source \Tools\1dns.log -index test_dns

make sure the file in the exact full path, you probably need to specify C:\directory\directory\path\to\file
or copy paste from the windows explorer
example from docs here:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorfilesanddirectoriesusingtheCLI#Example_4:_Upload_a_file

hope it helps

Re: oneshot events not in index --- ooops problem solved

aaraneta_splunk — Fri, 21 Apr 2017 18:42:59 GMT

@reswob4 - It looks like you're attempting to share how you found a solution to your issue, right? If so, can you please put how you found your solution in an a separate answer below and "Accept" it? That way others can easily find it if they are running into the same problem. Thanks for sharing the with community!

Re: oneshot events not in index --- ooops problem solved

reswob4 — Fri, 21 Apr 2017 18:47:48 GMT

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

Re: oneshot events not in index --- ooops problem solved

gmjATredjack — Mon, 02 Dec 2019 14:27:11 GMT

Also be sure to check the time range of your search. If you're seeing nothing, and no errors, try "All TIme"

Re: oneshot events not in index --- ooops problem solved

anwarmian — Sat, 07 Sep 2024 16:45:08 GMT

Specify the sourcetype at the oneshot command and have a props.conf with the following paramers set. The TIME parameters will take care of your timestamp issue. Make sure to restart the splunkd service after adding the props.conf.

[sourcetypename]
LINE_BREAKER
TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TRUNCATE
SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true