help me on the following questions:
I would like to ask about Splunk configuration issue of not getting logs after doing configuration. i have added new data inputs in inputs.conf as i always does and I have already done /opt/splunk/bin/splunk reload deploy-server BUT the problem am not getting the logs in Splunk GUI ???
index= xxx host="y.y.y.y", i can't get its logs???
what the best way to do when opt/syslog directory is almost full??
Verify the user running the UF has read access to the logs.
Verify the settings in inputs.conf, including
sourcetype= are correct.
Verify the UF can connect to the indexer(s).
Make sure your search is looking for the right sourcetype in the right index.
Thank you for the quick response,
I have verified the settings in inputs.conf all are included correctly,
am getting logs from Syslog sender(network devices), I think UF we use it when it is operating system to forward logs while here is configuration of syslog sender , even when am searching index=xx , i can't find its data?
only i see it when i set the time before the configuration at this point i see the logs but after configuration i can't see that index??
I understand your inputs configuration is correct and the UF is forwarding other data.
Have you tried searching the future (latest=+1y) in case there's an error parsing dates?