https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52932#M10209 <P>If you didn't change the default credentials to anything else, the ones you should use are "admin" as username and "changeme" as password.</P> Wed, 16 May 2012 12:14:16 GMT Ayn 2012-05-16T12:14:16Z https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52931#M10208 <P>Hi,</P> <P>I have following input.conf in an app on my deployment server</P> <PRE><CODE>[Monitor://%product_home%\logs\stdout.log] disabled=0 followtail=0 sourcetype=product_stdout index=product_logs </CODE></PRE> <P>The app deploys to the target server fine, and i also have a forwarding app which also deploys fine (I am also monitoring windows event logs, and these appear in the index no problem, so I know both this and the forwarding app work correctly)</P> <P>However, my stdout.log doesn't seem to be making it into the product_logs index (the index does exist)</P> <P>I have seen mention of accessing</P> <BLOCKQUOTE> <P><A href="https://localhost:8089/services/admin/inputStatus/TailingProcessor%3AFileStatus">https://localhost:8089/services/admin/inputStatus/TailingProcessor%3AFileStatus</A></P> </BLOCKQUOTE> <P>on the target server, but I get prompted with a login box with no idea what credentials to enter in. likewise if i run the equivalent request from the command line, i get prompted to enter a username and password. after it fails i get a 401 unauthorized error.</P> <P>I have tried various combinations ...</P> <PRE><CODE>[Monitor://$product_home\logs\stdout.log] [Monitor://c:\really long path\in here\logs\stdout.log] [Monitor://%product_home%\logs\stdout.log] </CODE></PRE> <P>To no avail.</P> <P>stdout.log does exist and has content, there are no special permissions on the file and the Splunk agent is running as local system</P> <P>%PRODUCT_HOME% is defined on the target server as a system environment variable, and is in use by other programs, so I know the path is valid.</P> <P>The splunkd.log doesn't appear to have anything useful to tell me other than the app deployed ok.</P> <P>I am sure this must be something incredibly simple that I am missing, but I can't see it for the conf.</P> <P>Halp?</P> Wed, 16 May 2012 09:31:41 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52931#M10208 Conradj 2012-05-16T09:31:41Z https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52932#M10209 <P>If you didn't change the default credentials to anything else, the ones you should use are "admin" as username and "changeme" as password.</P> Wed, 16 May 2012 12:14:16 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52932#M10209 Ayn 2012-05-16T12:14:16Z https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52933#M10210 <P>Some ideas:</P> <UL> <LI>Search for something that you <EM>know</EM> is in the data over <STRONG>all time</STRONG>. Perhaps there is a timestamp problem, and the data is really in there, but not at the time you expect.</LI> <LI>Search index=* for that data. It shouldn't have happened, but what the heck.</LI> <LI>Is the data recent? If it is older, or has widely varying timestamps, you may need to set some rules in props.conf. Put them in props.conf on the indexer if you are using the Universal Forwarder. Look at the settings for <CODE>MAX_DAYS_AGO</CODE>, <CODE>MAX_DAYS_HENCE</CODE>, <CODE>MAX_DIFF_SECS_AGO</CODE> and <CODE>MAX_DIFF_SECS_HENCE</CODE> in <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf">props.conf</A></LI> </UL> Wed, 16 May 2012 18:14:46 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-text-based-log-file-on-windows/m-p/52933#M10210 lguinn2 2012-05-16T18:14:46Z