Solved: Cant add my complete list of sources. - Page 2

clintla · ‎06-21-2011

I've got 2 folders of config data- both have 21 files.

Splunk is only adding 17 from one folder & 9 from the other.
All these files contain very similar data & all the filename
formats are identical

I've tried things like deleting all files, running
splunk clean all -f
then creating all files new.
Nogo.

Tried instead of adding the directory but just adding full path
to the files I noticed it was missing but it says that they are
already added.

Tried making a new directory of all the missing files & adding
this new directory for splunk to consume- nogo. Still just sees
26 sources.

If I do a search on the source that is not listed- finds no hits
& these files are not searchable in anyway through splunk.

Looking for ways to troubleshoot this problem.

Tried copying one of the directories to another server running
another trial version (4.2.1) & it only saw the same 9 files.

Checked the rights/permissions of the files, checked data.. all
the same. Not sure why Splunk has a problem with these data files.

jbsplunk · ‎06-23-2011

What does it show you about the file if you look at the rest endpoint from the command line? From $SPLUNK_HOME/bin you can run 'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus'. It should tell you what the status of the file is, if Splunk read it, what the size was when it was read, and to what percentage splunk read the file.

View solution in original post

Cant add my complete list of sources.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!