https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315331#M59009 <P>I am I have a couple hundred log files I pulled from client computers using powershell. I am experimenting with having Splunk index them. It was working prior to upgrading to 6.6.</P> <P>basically if I monitor a file directly, it works. But Splunk is not recursing sub-directories. I have never indexed these files before. On the <STRONG>data inputs screen</STRONG> it detects the files, but no events are parsed. </P> <P>I think it has to do with the path of the log files. Because I am lazy, I copied recursively with a filter, resulting in a long path, e.g. <CODE>C:\splunkdragonlogs\top25828\CCW03310\*****CCW03310*****\AppData\Roaming\Nuance\NaturallySpeaking12</CODE></P> <P>I use a regex to define the host as the 'user', as you see bolded above. </P> <P>I have tried editing input.conf to say recursive=true although that should be happening anyway.</P> <P>any thoughts of things to explore? </P> Thu, 31 Aug 2017 23:02:44 GMT millarma 2017-08-31T23:02:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315331#M59009 <P>I am I have a couple hundred log files I pulled from client computers using powershell. I am experimenting with having Splunk index them. It was working prior to upgrading to 6.6.</P> <P>basically if I monitor a file directly, it works. But Splunk is not recursing sub-directories. I have never indexed these files before. On the <STRONG>data inputs screen</STRONG> it detects the files, but no events are parsed. </P> <P>I think it has to do with the path of the log files. Because I am lazy, I copied recursively with a filter, resulting in a long path, e.g. <CODE>C:\splunkdragonlogs\top25828\CCW03310\*****CCW03310*****\AppData\Roaming\Nuance\NaturallySpeaking12</CODE></P> <P>I use a regex to define the host as the 'user', as you see bolded above. </P> <P>I have tried editing input.conf to say recursive=true although that should be happening anyway.</P> <P>any thoughts of things to explore? </P> Thu, 31 Aug 2017 23:02:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315331#M59009 millarma 2017-08-31T23:02:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315332#M59010 <P>I'd start with <CODE>./splunk list inputstatus</CODE> and check out what your inputs are saying. </P> <P>Or check out <CODE>index=_internal source=*splunkd.log ERROR OR WARN</CODE></P> Fri, 01 Sep 2017 03:35:29 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315332#M59010 mattymo 2017-09-01T03:35:29Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315333#M59011 <P>1) Please check splunkd.log and find there is any TailingProcessor stanza for your folder when you startup the Splunk<BR /> e.g.<BR /> TailingProcessor - Parsing configuration stanza: monitor://xxxx/xxx/xxx</P> <P>2) Try to add the '...' and '*' wildcard in the monitor stanza and see it helps.</P> Fri, 01 Sep 2017 09:27:16 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315333#M59011 tlam_splunk 2017-09-01T09:27:16Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315334#M59012 <P>Show us your <CODE>inputs.conf</CODE>. All of it.</P> Sat, 02 Sep 2017 20:45:09 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315334#M59012 woodcock 2017-09-02T20:45:09Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315335#M59013 <P>I am OP. Please find my inputs.conf below. However you should know that the files are now there. </P> <P>I have done nothing in the meantime. Can you help me understand why? I would hazard a guess that they weren't done indexing the last time I looked. This makes me think that files do not become searchable until the entire data input has been indexed. Is that so? </P> <P>How would one know if files were in the process of being indexed? Thank you all for you help.</P> <P>[monitor://C:\splunkdragonlogs\top25sinceJune1]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> recurse = true</P> <P>[monitor://C:\splunkdragonlogs\top25810*]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> sourcetype = dgn</P> <P>[monitor://C:\splunkdragonlogs\top25828*]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> sourcetype = dgn</P> <P>[monitor://C:\dgnlogs\top25828]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> sourcetype = dgn</P> <P>[monitor://C:\dgnlogs\top25sinceJune1]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> sourcetype = dragonlog</P> <P>[monitor://C:\dgnlogs\PathDragonLogs]<BR /> disabled = false<BR /> host_regex = \w+:\\w+\\w+\\w+\d+\(\w+)<BR /> index = dgn<BR /> sourcetype = dgn- clone</P> Tue, 05 Sep 2017 15:02:11 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315335#M59013 millarma 2017-09-05T15:02:11Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315336#M59014 <P>Start with <CODE>./splunk list inputstatus</CODE> and <CODE>./splunk list monitor</CODE> but the problem is almost certainly that there are too many files to sort through. One quick way to test is to do <CODE>./splunk restart</CODE> on your forwarder. Do most of the files start to catch up and then stop updating? Somewhere in the "thousands" of files, a forwarder will take so long sorting through and keeping track of everything that it cannot keep up with the actual task of forwarding. Usually the solution is simple: make sure that your housekeeping design is deleting or archiving files that are no longer going to change so that they disappear form the places Splunk is monitoring. If that cannot be done (the files must stay in place), then you can use this trick (be sure to <CODE>UpVote</CODE><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /> <A href="https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html">https://answers.splunk.com/answers/309910/how-to-monitor-a-folder-for-newest-files-only-file.html</A></P> <P>Also check <CODE>inodes</CODE>; your <CODE>splunk</CODE> user should probably be running <CODE>ulimit unlimited</CODE> (or something quite large). This can also cause inability to handle large numbers of files and directories.</P> Sun, 10 Sep 2017 06:45:27 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315336#M59014 woodcock 2017-09-10T06:45:27Z https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315337#M59015 <P>thank you. I think this was the issue. There were thousands of extra directories that , while empty, would keep the tailingprocessor busy.</P> Mon, 11 Sep 2017 15:06:57 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-not-detecting-local-files-recursively/m-p/315337#M59015 millarma 2017-09-11T15:06:57Z