Hi,
I have an issue with data not being indexed as expected. I have created a sourcetype and an indexed as I would expect. I have created a serverclass for my both servers app1 + app2 and I have the forwarder installed on both and all the same apps deployed.
My index.conf looks like this:
[monitor:///wmosapp/scope/ATL/WMS/profile-root/prod_atl_wms/log/scpp-prod_atl_wms.log] I do see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app1.corp.xxx.com
[monitor:///wmosapp/scope/ATL/WMS/profile-root/atl_wms/log/scpp-prod_atl_wms.log] I do see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app2.corp.xxx.com
[monitor:///wmosapp/scope/DEN/WMS/profile-root/den_wms/log/scpp-den_wms_prod.log] I do not see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app1.corp.usa.com
[monitor:///wmosapp/scope/DEN/WMS/profile-root/den_wms/log/scpp-den_wms_prod.log] I see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app2.corp.xxx.com
[monitor:///wmosapp/scope/NEW/WMS/profile-root/new_wms/log/scpp-new_wms.log] I do not see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app1.corp.xxx.com
[monitor:///wmosapp/scope/NEW/WMS/profile-root/new_wms/log/scpp-new_wms.log] I see data indexed for this log
sourcetype = wms
index = wms
disabled = false
host = app2.corp.xxx.com
Pretty much I only see data being indexed from one of app1 files but all my app2 files. I checked the path and they are correct.
Thank you very much for your help,
Oliver
Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"
Can you also post your serverclass.conf for this config.
You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.
Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"
Can you also post your serverclass.conf for this config.
You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.
Your inputs.conf configuration looks good. You restarted the UF (or Splunk) after updating inputs.conf, right? If so, the next step would be to take a look at the log file and see if there is anything related to the inputs being ignored. Splunk will tell you most of the time why it ignores an input. Try restarting Splunk and doing a tail -f $SPLUNK_HOME/var/log/splunk/splunkd.log
Sometimes you also have to wait a bit before data will show up on the indexer/search head (usually due to large files), but I would check the log first. You can also search index=_internal sourcetype=splunkd if you don't want to use tail.
Thank you very much for your quick answer, I did what you said and I think the found the issue somewhere else.
When I actually look at the outputs, it takes output from app1 but it shows the host as app2:
I double checked and verfied that the log files is acutally from app1 but the host is being displayed as app2. Any idea where I can fix this?
Oliver
Oliver you mentioned -> "My index.conf looks like this:", I am assuming you meant "inputs.conf"
Can you also post your serverclass.conf for this config.
You dont have to specify host=... in the inputs.conf unless the source of the data is from a different server then specified and you want to override the default hostname.
Thank you, I meant inputs.conf , my bad.
I did remove all the host= but now it is not indexing any data any more at all.
I do not have a serverclass.conf on my forwarders, which app would I need to deploy to get this.
Nevermind, I restarted the whole SPLUNK and it works now. Thanks!!
I added my comments as new answer. Can you please accept it as correct answer and if possible award points. Thanks,