topic Re: Why my Windows logs don't reach Splunk? in Getting Data In

Why my Windows logs don't reach Splunk?

ddrillic — Fri, 10 Feb 2017 16:44:29 GMT

We see the following -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Parsing configuration stanza: monitor://E:\logs\sessiondelete\*_DELETESCRIPT.log.

And -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Adding watch on path: E:\logs\sessiondelete.

But they don't reach the indexers. Any ideas?

Re: Why my Windows logs don't reach Splunk?

vasanthmss — Fri, 10 Feb 2017 16:47:20 GMT

follow the steps from the below url, http://docs.splunk.com/Documentation/Splunk/6.5.2/Troubleshooting/Cantfinddata .

Re: Why my Windows logs don't reach Splunk?

ddrillic — Fri, 10 Feb 2017 16:57:52 GMT

Great link - the only thing that I don't know is whether the forwarder can access this Windows folder ...

Re: Why my Windows logs don't reach Splunk?

Richfez — Fri, 10 Feb 2017 17:50:08 GMT

Sysinternals tool Process Explorer can easily find out if your UF has that file open.

Open Process Explorer, click the binoculars, search for E:\whatever in there. If the UF has the file open, it'll be listed.

Re: Why my Windows logs don't reach Splunk?

pradeepkumarg — Fri, 10 Feb 2017 19:21:46 GMT

Windows doesn't play well with wild cards on the monitor path. Try using whiteliest and blacklist instead to wild card your file names.

Re: Why my Windows logs don't reach Splunk?

ddrillic — Fri, 10 Feb 2017 19:24:21 GMT

Seriously? do you have any docs about it, by any chance?

I see the following at Specify input paths with wildcards

Re: Why my Windows logs don't reach Splunk?

somesoni2 — Fri, 10 Feb 2017 19:44:45 GMT

Check for error like access denied on the splunkd.log on the forwarder (for that file).

Re: Why my Windows logs don't reach Splunk?

ddrillic — Fri, 10 Feb 2017 19:49:56 GMT

The only references to DELETESCRIPT in splunkd.log are the two at the beginning of this thread...

Re: Why my Windows logs don't reach Splunk?

somesoni2 — Tue, 29 Sep 2020 12:49:57 GMT

The forwarder should be sending _internal data to Indexers, do you at least see that (to confirm that outputs.conf is configured correctly, check index=_internal host=yourForwarder ). Also, restart your forwarder and check the splunkd.log for errors and warning, you may catch something relevant.

Re: Why my Windows logs don't reach Splunk?

pradeepkumarg — Fri, 10 Feb 2017 20:02:47 GMT

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

Re: Why my Windows logs don't reach Splunk?

ddrillic — Sat, 11 Feb 2017 00:30:44 GMT

Gorgeous - it worked now. Please convert the comment to an answer so I can accept it...

Re: Why my Windows logs don't reach Splunk?

pradeepkumarg — Sat, 11 Feb 2017 00:47:26 GMT

Glad it helped..

Re: Why my Windows logs don't reach Splunk?

ddrillic — Sat, 11 Feb 2017 00:57:00 GMT

Very much appreciated!!!