I've got 2 folders of config data- both have 21 files.
Splunk is only adding 17 from one folder & 9 from the other.
All these files contain very similar data & all the filename
formats are identical
I've tried things like deleting all files, running
splunk clean all -f
then creating all files new.
Nogo.
Tried instead of adding the directory but just adding full path
to the files I noticed it was missing but it says that they are
already added.
Tried making a new directory of all the missing files & adding
this new directory for splunk to consume- nogo. Still just sees
26 sources.
If I do a search on the source that is not listed- finds no hits
& these files are not searchable in anyway through splunk.
Looking for ways to troubleshoot this problem.
Tried copying one of the directories to another server running
another trial version (4.2.1) & it only saw the same 9 files.
Checked the rights/permissions of the files, checked data.. all
the same. Not sure why Splunk has a problem with these data files.
What does it show you about the file if you look at the rest endpoint from the command line? From $SPLUNK_HOME/bin you can run 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus'. It should tell you what the status of the file is, if Splunk read it, what the size was when it was read, and to what percentage splunk read the file.