topic Re: Not Receiving data from particular source in Splunk Search

Why am I not receiving data from particular source?

Vani_26 — Sat, 30 Jul 2022 22:19:44 GMT

Hi, I have 4 sources from one sourcetype . so i am getting data from 3 sources but not from other 1 source.

Logs are present , but not showing up in splunk.
checked inputs.conf everything is--same configuration for all 4 sources.
crccsalt=source is also there in inputs.config.
restarted the servers, but still not able to see the data

Can you please tell me anything i am missing.

Re: Not Receiving data from particular source

inventsekar — Sat, 30 Jul 2022 06:49:21 GMT

Hi @Vani_26 ... we may need some more details please..

1. Approx when all these 4 logs are added to splunk? (recently or long back?)

2. Any recent changes in Splunk environment? are you using HF?

3. Are these 4 logs are same type? i mean, simple file monitoring or what these 4 sources pls

4. on the internal logs, do you see any errors, warnings pls.

5. these 4 logs are there locally on Splunk system or you have UF reading these logs and then sending them to indexer?

Re: Not Receiving data from particular source

Vani_26 — Sat, 30 Jul 2022 13:55:14 GMT

1. Approx when all these 4 logs are added to splunk? (recently or long back?)

From 3 sources logs are recent, but from other 1 source there are logs on july1st after that no logs and again i see logs on 29th july.

2. Any recent changes in Splunk environment? are you using HF?

no changes in recent logs and i am not using HF.

3. Are these 4 logs are same type? i mean, simple file monitoring or what these 4 sources pls
All the 4 sources logs are of below format
eg: 2022-07-29 12:00:31,630 hgdshgdjsjsnk........................

and my inputs.conf is
[monitior: ///abc/adcd/logs/adc-adc-adc-as-ATV/*.log]
index=abc
sourcetype=abcd
crscSalt=<Source>
intCrcLength=1024
no_binary_check=true
disabled=0
followtail=1

4. on the internal logs, do you see any errors, warnings pls.
No error or warnings in internal logs.

5. these 4 logs are there locally on Splunk system or you have UF reading these logs and then sending them to indexer?
these all 4 sources are from UF and then sending them to indexer.

Re: Not Receiving data from particular source

jamie00171 — Sun, 31 Jul 2022 08:52:58 GMT

Hi @Vani_26

From inputs.conf docs regrading "followTail"

* If you set to "1", monitoring starts at the end of the file (like
  *nix 'tail -f'). The input does not read any data that exists in
  the file when it is first encountered. The input only reads data that
  arrives after the first encounter time.

So it could be that if you create a file there then none of the initial data will be indexed. The docs also don't recommend having followTail set to 1. I think best practice would be to create a new file each time there is new data to be written to Splunk.

Thanks,

Jamie

Re: Not Receiving data from particular source

Vani_26 — Thu, 04 Aug 2022 21:53:25 GMT

hi @jamie00171 ,

what you said is correct about the follow tail=1, when i removed it, i can see the source which was missing before.
It really helped me a lot, thank you.