Searching the fish bucket

mvangamf · ‎05-31-2016

Indexing server.log and boot.log files using the following stanzas for both:
[monitor:///opt/directory/logs/servername/boot.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

[monitor:///opt/directory/logs/servername/server.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

The behavior is inconsistent where sometime both files are indexed and cases where only one file is. Is there a specific place (e.g. fishbucket) that I can search to see what got indexed or refused and why (any error messages)?

shaskell_splunk · ‎05-31-2016

You can try looking at the status of the TailingProcessor which handles file monitor inputs.

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Here's a Splunk Wiki page on troubleshooting monitor inputs.

https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Hope those help!

mvangamf · ‎06-01-2016

Reviewed status of the TailingProcessor on a few hosts and again, the behavior is inconsistent. On one host, the file was read but nothing shows up in the search head (within last 7 days). On another host, only one of the 2 stanzas was used for file comparison and indicated that there was no match so file was not read.

Searching the fish bucket

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!