I recently added a new input to Files & Directories to parse xml files that log backup operations and set the sourcetype as "backup_files" (the first input to use this sourcetype). After adding the input, the Manager shows that that input sees 375 files, which is the correct number of files in the shared directory.
But I can't see those files anywhere in search. "backup_files" doesn't show up in the Summary, no words within those files result in hits of a search.
What am I missing?
https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.
https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.
I would take a look at https://YOURHOST:8089/admin/services/inputstatus.
(Note this is on the management port 8089, not the splunkWeb port 8000)
Just because the input is saying there are files there doesnt necessarily mean they're getting indexed. The inputstatus endpoint can tell you if they're matching blacklist config, or being flagged as binary etc..
It can also happen sometimes that they're getting indexed, but not into the slice of time you might expect based on what Splunk sees in the events. Double check the timerange you're searching over and expand it to 'all time' if necessary.
8089/services/admin/inputstatus/TailingProcessor:FileStatus worked, though.
I see that the regex I used isn't matching the files (even though I tested it in regex tester ...)
I am searching by all-time, and the link you have returns 404.