Archive

Searching the fish bucket

New Member

Indexing server.log and boot.log files using the following stanzas for both:
[monitor:///opt/directory/logs/servername/boot.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

[monitor:///opt/directory/logs/servername/server.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

The behavior is inconsistent where sometime both files are indexed and cases where only one file is. Is there a specific place (e.g. fishbucket) that I can search to see what got indexed or refused and why (any error messages)?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You can try looking at the status of the TailingProcessor which handles file monitor inputs.

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Here's a Splunk Wiki page on troubleshooting monitor inputs.

https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Hope those help!

0 Karma

New Member

Reviewed status of the TailingProcessor on a few hosts and again, the behavior is inconsistent. On one host, the file was read but nothing shows up in the search head (within last 7 days). On another host, only one of the 2 stanzas was used for file comparison and indicated that there was no match so file was not read.

0 Karma