Archive

Splunk configuration issue

Explorer

Greetings!!

help me on the following questions:

  1. I would like to ask about Splunk configuration issue of not getting logs after doing configuration. i have added new data inputs in inputs.conf as i always does and I have already done /opt/splunk/bin/splunk reload deploy-server BUT the problem am not getting the logs in Splunk GUI ???
    index= xxx host="y.y.y.y", i can't get its logs???

  2. what the best way to do when opt/syslog directory is almost full??

0 Karma

SplunkTrust
SplunkTrust

Verify the user running the UF has read access to the logs.
Verify the settings in inputs.conf, including index= and sourcetype= are correct.
Verify the UF can connect to the indexer(s).
Make sure your search is looking for the right sourcetype in the right index.

---
If this reply helps you, an upvote would be appreciated.

Explorer

Hi richgalloway?

Thank you for the quick response,
I have verified the settings in inputs.conf all are included correctly,
am getting logs from Syslog sender(network devices), I think UF we use it when it is operating system to forward logs while here is configuration of syslog sender , even when am searching index=xx , i can't find its data?
only i see it when i set the time before the configuration at this point i see the logs but after configuration i can't see that index??

0 Karma

SplunkTrust
SplunkTrust

I understand your inputs configuration is correct and the UF is forwarding other data.
Have you tried searching the future (latest=+1y) in case there's an error parsing dates?

---
If this reply helps you, an upvote would be appreciated.
0 Karma