https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496472#M84682 <P>both have root access</P> Mon, 16 Mar 2020 17:45:48 GMT rtalcik 2020-03-16T17:45:48Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496469#M84679 <P>So I have a seperate folder that was prebuilt from splunk universal forwarder. </P> <P>The folder path is :</P> <P>/opt/splunkforwarder/etc/apps/"MY folders HERE"</P> <P>one of the folders under /apps IS sending</P> <P>the other folder is not and all it has is a path of</P> <P>/apps/NOT SENDING FOLDER/local/input.conf</P> <P>inside inputs.conf I have</P> <P>[monitor:///var/log/router/<EM>.log]<BR /> host_regex=router/(.</EM>).log<BR /> sourcetype=cisco<BR /> index=net<BR /> crcSalt=<BR /> disabled = 0</P> <P>this is not monitoring the folder and NO logs are going into splunk</P> <P>however in the correct folder that is sending i have<BR /> [monitor:///var/log/security.log]<BR /> sourcetype = seclog<BR /> index = sec<BR /> disabled = 0</P> <P>I also have the following folders in the correct logs that i do not have in the no working log</P> <P>default local metadata README.md static</P> <P>was wondering if anyone can point me in the direction to help me figure out why one folder is sending but the other isnt.</P> Mon, 16 Mar 2020 17:09:12 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496469#M84679 rtalcik 2020-03-16T17:09:12Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496470#M84680 <P>I don't think it's something to do with apps. Configurations looks correct. Check user running splunk process has read permissions to log files in directory <EM>/var/log/router/</EM>.</P> <P>If user has read permissions then check for any errors in splunkd logs in /opt/splunkforwarder/var/log/splunk/.</P> Mon, 16 Mar 2020 17:31:03 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496470#M84680 manjunathmeti 2020-03-16T17:31:03Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496471#M84681 <P>very good point I will do.</P> Mon, 16 Mar 2020 17:31:45 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496471#M84681 rtalcik 2020-03-16T17:31:45Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496472#M84682 <P>both have root access</P> Mon, 16 Mar 2020 17:45:48 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496472#M84682 rtalcik 2020-03-16T17:45:48Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496473#M84683 <P>permissions seem fine. they all have root accesss rw both ways</P> Mon, 16 Mar 2020 18:03:44 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496473#M84683 rtalcik 2020-03-16T18:03:44Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496474#M84684 <P>Is root running splunk process? Check splunkd logs /opt/splunkforwarder/var/log/splunk/splunkd.logs and also check if index "net" is created on indexer servers.</P> Mon, 16 Mar 2020 18:19:55 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496474#M84684 manjunathmeti 2020-03-16T18:19:55Z https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496475#M84685 <P>So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.</P> <P>This was resolved by finding out what the issue was and removing empty log files in the directory.</P> Mon, 16 Mar 2020 20:56:01 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-universal-forwarder-isnt-sending-ONE-folder/m-p/496475#M84685 rtalcik 2020-03-16T20:56:01Z