Archive
Highlighted

Why my Windows logs don't reach Splunk?

Ultra Champion

We see the following -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Parsing configuration stanza: monitor://E:\logs\sessiondelete\*_DELETESCRIPT.log.

And -

02-09-2017 21:12:49.973 -0600 INFO  TailingProcessor - Adding watch on path: E:\logs\sessiondelete.

But they don't reach the indexers. Any ideas?

Tags (1)
0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Motivator
0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Ultra Champion

Great link - the only thing that I don't know is whether the forwarder can access this Windows folder ...

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

SplunkTrust
SplunkTrust

Sysinternals tool Process Explorer can easily find out if your UF has that file open.

Open Process Explorer, click the binoculars, search for E:\whatever in there. If the UF has the file open, it'll be listed.

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

SplunkTrust
SplunkTrust

Check for error like access denied on the splunkd.log on the forwarder (for that file).

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Ultra Champion

The only references to DELETESCRIPT in splunkd.log are the two at the beginning of this thread...

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

SplunkTrust
SplunkTrust

The forwarder should be sending internal data to Indexers, do you at least see that (to confirm that outputs.conf is configured correctly, check index=internal host=yourForwarder ). Also, restart your forwarder and check the splunkd.log for errors and warning, you may catch something relevant.

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Influencer

Windows doesn't play well with wild cards on the monitor path. Try using whiteliest and blacklist instead to wild card your file names.

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Ultra Champion

Seriously? do you have any docs about it, by any chance?

I see the following at Specify input paths with wildcards

alt text

0 Karma
Highlighted

Re: Why my Windows logs don't reach Splunk?

Influencer

From - http://docs.splunk.com/Documentation/Splunk/6.0/Data/Specifyinputpathswithwildcards

Caution: In Windows, you cannot currently use a wildcard at the root level. For example, this does not work:

[monitor://E:...\foo\*.log]
Splunk Enterprise logs an error and fails to index the desired files.

This is a known issue, described in the Known Issues topic of the Release Notes. Look there for details on all known issues.

This might have been fixed in later versions, I'm not sure.

View solution in original post