https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598876#M104439 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241735">@Poojitha</a>,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents</A>&nbsp;and in many other videos, you have to do some preventive actions:</P><UL><LI>did you already enable log receiving on Indexers [Settings -- Forwarderding and Receiving -- Receiving]?</LI><LI>did you already enable log forwarding on Universal Forwarder (outputs.conf or installation procedure)?</LI><LI>do you see internal logs from that Forwarders on Splunk (index=_internal host=&lt;your_host&gt;)</LI></UL><P>Ciao.</P><P>Giuseppe</P> Mon, 23 May 2022 09:53:30 GMT gcusello 2022-05-23T09:53:30Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598864#M104438 <P>Hi All,<BR /><BR />I have installed splunk UF on windows . I have one static log file in system (json)&nbsp; and that need to be monitored.&nbsp; &nbsp;I have configure this in inputs.conf file.<BR />I see only system/application and security logs being sent to indexer whereas the static log file is not seen.<BR /><BR />I ran "splunk list inputstatus" and checked,&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">C:\Users\Administrator\Downloads\test\test.json file position = 75256 file size = 75256 percent = 100.00 type = finished reading</LI-CODE> <P>&nbsp;</P> <P>So, this means the file is being read properly.<BR /><BR />What can be the issue that I dont see test.json logs at splunk side ? I tried checking index=_internal at indexer but not able to figure out what is causing issue, I checked few blogs on Internet as well. Can anyone please help on this.<BR /><BR />Thanks in Advance,<BR />Newbie to splunk<BR /><BR /></P> Tue, 24 May 2022 15:20:58 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598864#M104438 Poojitha 2022-05-24T15:20:58Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598876#M104439 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241735">@Poojitha</a>,</P><P>as you can read at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents</A>&nbsp;and in many other videos, you have to do some preventive actions:</P><UL><LI>did you already enable log receiving on Indexers [Settings -- Forwarderding and Receiving -- Receiving]?</LI><LI>did you already enable log forwarding on Universal Forwarder (outputs.conf or installation procedure)?</LI><LI>do you see internal logs from that Forwarders on Splunk (index=_internal host=&lt;your_host&gt;)</LI></UL><P>Ciao.</P><P>Giuseppe</P> Mon, 23 May 2022 09:53:30 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598876#M104439 gcusello 2022-05-23T09:53:30Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598919#M104442 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;Thanks for your response&nbsp;</P><P>&nbsp;</P><UL><LI>Yes, I have enabled it. I see system, application and security logs from that windows machine but not the log from the static file.&nbsp;</LI><LI>Yes , I have enabled</LI><LI>Yes, I checked index=_internal , there are logs from this host.</LI></UL><P>Searching the index=_internal and this host with the filename (test.json), I see nix_errors with tag=error :<BR /><BR /></P><LI-CODE lang="markup">active_searches=15, elapsedTime=0.604, search='pretypeahead prefix="index=_internal \"test_sourcetype\" \"test-host\" \"test.json max_time="1" count="50" use_cache=1', savedsearch_name="", drop_count=0, scan_count=0, eliminated_buckets=0, considered_events=0, decompressed_slices=0, events_count=0, total_slices=0, considered_buckets=0, search_rawdata_bucketcache_error=0, search_rawdata_bucketcache_miss=0, search_index_bucketcache_error=0, search_index_bucketcache_hit=0, search_index_bucketcache_miss=0, search_rawdata_bucketcache_hit=0, search_rawdata_bucketcache_miss_wait=0.000, search_index_bucketcache_miss_wait=0.000</LI-CODE><P>&nbsp;</P><P>What does this imply ? &nbsp;</P> Mon, 23 May 2022 14:44:25 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598919#M104442 Poojitha 2022-05-23T14:44:25Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598920#M104443 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241735">@Poojitha</a>,</P><P>the above tests were to understand if the connection id correctly establishhed.</P><P>Now, could you share your inputs.conf where the file is monitored?</P><P>&nbsp;in other words, a file called "inputs.conf" where is located a stanza with</P><LI-CODE lang="markup">[monitor://C:\Users\Administrator\Downloads\test\test.json]</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 23 May 2022 15:18:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598920#M104443 gcusello 2022-05-23T15:18:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598923#M104444 <P>&nbsp;</P><LI-CODE lang="markup">[WinEventLog://Application] disabled = 0 index = test_index sourcetype = test_sourcetype [WinEventLog://Security] disabled = 0 index = test_index sourcetype = test_sourcetype [WinEventLog://System] disabled = 0 index = test_index sourcetype = test_sourcetype [monitor://C:\Users\Administrator\Downloads\test\log.json] disabled = 0 index = test_index sourcetype = test_sourcetype</LI-CODE><P>&nbsp;</P><P><BR />This is what my inputs.conf file&nbsp;</P> Mon, 23 May 2022 15:29:22 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598923#M104444 Poojitha 2022-05-23T15:29:22Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598925#M104445 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241735">@Poojitha</a>,</P><P>Splunk doesn't read twice a log, maybe your log was already read, could you try to add this row to ste stanza of your inputs.conf and restart Splunk on Forwarder?</P><LI-CODE lang="markup">crcSal = &lt;SOURCE&gt;</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 23 May 2022 15:42:43 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598925#M104445 gcusello 2022-05-23T15:42:43Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598940#M104449 <P>&nbsp;</P><LI-CODE lang="markup">[WinEventLog://Application] disabled = 0 index = test_index sourcetype = test_sourcetype [WinEventLog://Security] disabled = 0 index = test_index sourcetype = test_sourcetype [WinEventLog://System] disabled = 0 index = test_index sourcetype = test_sourcetype [monitor://C:\Users\Administrator\Downloads\test\log.json] disabled = 0 index = test_index sourcetype = test_sourcetype</LI-CODE><P>This is how my inputs.conf file looks like</P> Mon, 23 May 2022 16:58:08 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598940#M104449 Poojitha 2022-05-23T16:58:08Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598961#M104452 <P>I tried this, its not working <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> Mon, 23 May 2022 18:29:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/598961#M104452 Poojitha 2022-05-23T18:29:18Z https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/599011#M104460 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241735">@Poojitha</a>,</P><P>sorry: I missed a char!</P><LI-CODE lang="markup">crcSalt = &lt;SOURCE&gt;</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Tue, 24 May 2022 06:26:51 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-there-issue-with-Universal-Forwarder-forwarding-logs-to/m-p/599011#M104460 gcusello 2022-05-24T06:26:51Z