Getting Data In

Data not being indexed / inputs.conf

omuelle1
Communicator

Hi,

I have an issue with data not being indexed as expected. I have created a sourcetype and an indexed as I would expect. I have created a serverclass for my both servers app1 + app2 and I have the forwarder installed on both and all the same apps deployed.

My index.conf looks like this:

[monitor:///wmosapp/scope/ATL/WMS/profile-root/prod_atl_wms/log/scpp-prod_atl_wms.log] I do see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.xxx.com

[monitor:///wmosapp/scope/ATL/WMS/profile-root/atl_wms/log/scpp-prod_atl_wms.log] I do see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

[monitor:///wmosapp/scope/DEN/WMS/profile-root/den_wms/log/scpp-den_wms_prod.log] I do not see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.usa.com

[monitor:///wmosapp/scope/DEN/WMS/profile-root/den_wms/log/scpp-den_wms_prod.log] I see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

[monitor:///wmosapp/scope/NEW/WMS/profile-root/new_wms/log/scpp-new_wms.log] I do not see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app1.corp.xxx.com

[monitor:///wmosapp/scope/NEW/WMS/profile-root/new_wms/log/scpp-new_wms.log] I see data indexed for this log
sourcetype = wms
index = wms

ignoreOlderThan = 7d

disabled = false
host = app2.corp.xxx.com

Pretty much I only see data being indexed from one of app1 files but all my app2 files. I checked the path and they are correct.

Thank you very much for your help,

Oliver

Tags (1)
0 Karma
1 Solution

bohrasaurabh
Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

View solution in original post

bohrasaurabh
Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

masonmorales
Influencer

Your inputs.conf configuration looks good. You restarted the UF (or Splunk) after updating inputs.conf, right? If so, the next step would be to take a look at the log file and see if there is anything related to the inputs being ignored. Splunk will tell you most of the time why it ignores an input. Try restarting Splunk and doing a tail -f $SPLUNK_HOME/var/log/splunk/splunkd.log

Sometimes you also have to wait a bit before data will show up on the indexer/search head (usually due to large files), but I would check the log first. You can also search index=_internal sourcetype=splunkd if you don't want to use tail.

omuelle1
Communicator

Thank you very much for your quick answer, I did what you said and I think the found the issue somewhere else.

When I actually look at the outputs, it takes output from app1 but it shows the host as app2:

alt text

I double checked and verfied that the log files is acutally from app1 but the host is being displayed as app2. Any idea where I can fix this?

Oliver

0 Karma

bohrasaurabh
Communicator

Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"

Can you also post your serverclass.conf for this config.

You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.

omuelle1
Communicator

Thank you, I meant inputs.conf , my bad.

I did remove all the host= but now it is not indexing any data any more at all.

I do not have a serverclass.conf on my forwarders, which app would I need to deploy to get this.

0 Karma

omuelle1
Communicator

Nevermind, I restarted the whole SPLUNK and it works now. Thanks!!

0 Karma

bohrasaurabh
Communicator

I added my comments as new answer. Can you please accept it as correct answer and if possible award points. Thanks,

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...