I am working in a single node environment (indexer is also deployment-server)and I am having trouble determining why splunk will not index a log file of mine. I set up the configurations in the serverclass.conf and white-listed a new server "server12". This serverclass was already monitoring multiple other servers. The same log file "D:\Logfile\logs.csv" is being monitored on each of the servers and can be seen in the logs coming from all servers except for "server12". I also see other logs coming from "server12" but I do not see the "D:\Logfile\logs.csv" file.
'
My conclusions thus far:
Because I see logs coming from "server12" I know it is not a network/FW issue. And the permissions on the logfile are the same throughout each of the servers so Splunk has permission to read the file.
My question:
Is there a simple way to troubleshoot this or does anyone know if I am missing anything in my configurations?
Running splunk version : Splunk 6.0 (build 182037)
I think I see it.
Try this:
[monitor://D:\\Logfilelogs.csv]
Yes, Splunkd and splunkweb were restarted along with a
"splunk reload deploy-server"
Serverclass:
[serverClass:SC-admin]
whitelist.0 = server1
whitelist.1 = server2
whitelist.2 = server3
whitelist.3 = server4
whitelist.4 = server5
whitelist.5 = server6
whitelist.6 = server7
whitelist.7 = server8
whitelist.8 = server9
whitelist.9 = server12
[serverClass:SC-admin:app:SC-loghistory-inputs]
$SPLUNK_HOME$/etc/deployment-apps/SC-loghistory-inputs/local/inputs.conf
[monitor://D:\Logfile\logs.csv]
index = loghistory
sourcetype = csv-2
disabled = false
crcSalt =
Did you try restarting splunkd after the changes?
Can you post your serverclass.conf and also your inputs.conf where you have defined monitor stanzas