topic Re: Index issue - new logs - iis-2 in Getting Data In

Index issue - new logs - iis-2

DanielFordWA — Tue, 18 Jun 2013 16:27:53 GMT

Hi,

I have splunk sitting on a server indexing log files from a dir \weblog

When I initially added the folder all the logs were indexed and the data appears correctly, however the new logs are not being indexed.

The logs initially start at 0kb size and grow and then a new log is created every 10min, these logs are not being indexed.

I understand that the standard setting is to monitor the folder and as a log grows splunk will index the new information, this does not seem to be happening. I expect this is a basic error on my part.

They are iis-2 log format.

Hope you can help,

Dan

Re: Index issue - new logs - iis-2

kristian_kolb — Tue, 18 Jun 2013 16:37:50 GMT

Please post the inputs.conf. Mask any servernames/internal data as needed.

Re: Index issue - new logs - iis-2

DanielFordWA — Wed, 19 Jun 2013 10:38:09 GMT

Hi Kristian thanks for the response.

I have discovered that Splunk does index the most recent logs which are created every 10mins, however these logs have a GMT time stamp, I am currently on BST (GMT +1).

The server Splunk sits on is also BST.

Therefore instead of a 10min delay it looks like a 1hr10mins delay, even though the logs are indexed every 10mins.

Is there an easy way to resolve this?

Re: Index issue - new logs - iis-2

DanielFordWA — Fri, 21 Jun 2013 14:10:52 GMT

For a workaround I have change the user to GMT+1.

Re: Index issue - new logs - iis-2

starcher — Fri, 21 Jun 2013 14:11:14 GMT

Add the following to your props.conf. This will tell splunk that source type iis-2 logs are all coming in GMT timezone.

[iis-2]
tz=GMT