https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38811#M7172 <OL> <LI>How do you KNOW that you're not getting the DHCP logs indexed? </LI> <LI>What other data are you seeing from the forwarder?</LI> </OL> <P>Timestamps could be wrong. Have you searched for 'all time'?<BR /> Try a metadata search, that should show if there are any data indexed on a per sourcetype basis. </P> <PRE><CODE>| metadata type=sourcetypes </CODE></PRE> <P>Permissions. <BR /> You say you tried the rest interface (<CODE>https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus</CODE>, I assume). Any errors listed? 100% done?</P> <P>Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify <CODE>index=blaha</CODE> as part of your search?</P> <P>/Kristian</P> Fri, 27 Apr 2012 20:19:22 GMT kristian_kolb 2012-04-27T20:19:22Z https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38810#M7171 <P>What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.</P> <P>I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf</P> <PRE><CODE>[monitor://C:\Windows\System32\dhcp] sourcetype = DhcpSrvLog crcSalt = &lt;source&gt; alwaysOpenFile = 1 disabled = false whitelist = Dhcp.+\.log </CODE></PRE> <P>Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.</P> <P>Without doing anything else, I would expect the raw log entries to appear on the indexer. I <EM>do</EM> receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?</P> Fri, 27 Apr 2012 18:43:25 GMT https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38810#M7171 kingpin867 2012-04-27T18:43:25Z https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38811#M7172 <OL> <LI>How do you KNOW that you're not getting the DHCP logs indexed? </LI> <LI>What other data are you seeing from the forwarder?</LI> </OL> <P>Timestamps could be wrong. Have you searched for 'all time'?<BR /> Try a metadata search, that should show if there are any data indexed on a per sourcetype basis. </P> <PRE><CODE>| metadata type=sourcetypes </CODE></PRE> <P>Permissions. <BR /> You say you tried the rest interface (<CODE>https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus</CODE>, I assume). Any errors listed? 100% done?</P> <P>Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify <CODE>index=blaha</CODE> as part of your search?</P> <P>/Kristian</P> Fri, 27 Apr 2012 20:19:22 GMT https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38811#M7172 kristian_kolb 2012-04-27T20:19:22Z https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38812#M7173 <P>Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!</P> Fri, 27 Apr 2012 20:48:00 GMT https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38812#M7173 kingpin867 2012-04-27T20:48:00Z https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38813#M7174 <P>you're welcome <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 27 Apr 2012 20:56:16 GMT https://community.splunk.com/t5/Getting-Data-In/Monitored-input-not-showing-on-indexer/m-p/38813#M7174 kristian_kolb 2012-04-27T20:56:16Z