Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Old log files are not getting ingested into Splunk Cloud

anandhalagarasa
Path Finder
‎09-09-2019 06:41 AM

Hi Team,

We got an requirement to ingest the xyz.log from a client machine.

So i have created an app in the deployment master and deployed the same. The app has been successfully reached the client machine as well.

I have created an app and deployed the same on 8th Sep 2019 and the log file (xyz.log) has been lastly updated on 5th Sep 2019 in the client machine. Actually i believe the log file should be ingested into Splunk Cloud but here in this case its not getting ingested into Splunk Cloud.

So can i know what is the reason behind it and have enclosed my inputs.conf for reference. So kindly check and help on this.

[monitor:///abc/def/ijk/lmn/xyz.log]
sourcetype = pgr:stv
index = 123
disabled = 0

Kindly note the file has the splunk read permission and also in the internal logs it states that the configuration stanza as been parsed. The internal logs are reaching Splunk Cloud without any issues there is no connectivity issues as well.

But still i couldn't able to see the logs in Splunk Cloud.

Tags (1)
0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 06:53 AM

Kindly help on my request

0 Karma
Reply

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎09-09-2019 06:59 AM

At least, you should check the message in the splunkd.log. What can you find?

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 07:15 AM

@tkomatsubara,

In splunkd.log the file is getting parsed refer below:

09-09-2019 05:20:30.415 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///abc/def/ijk/lmn/xyz.log

But still the logs are not getting indexed. So can i know how Splunk works? Will it ingest old data as well.

0 Karma
Reply

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎09-09-2019 07:24 AM

There must be some errors. Can you find?

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-10-2019 12:31 AM

There are no errors at all. Am i missing anything in the stanza. And one thing can you confirm is splunk can index the old date data as well.

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-10-2019 08:13 AM

can anyone kindly help on my query.

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 07:21 AM

should i need to modify the inputs.conf stanza to ingest the old date logs. And the log date is on 5th Sep only. All seems to be fine but something it happens at the background and hence we couldn't able to ingest those logs.

Is this how Splunk works? Is it wont be able to ingest the old data logs kindly confirm please.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...