Dashboards & Visualizations
Highlighted

Can't search events in newly added "Files&Directories" input

Path Finder

I recently added a new input to Files & Directories to parse xml files that log backup operations and set the sourcetype as "backup_files" (the first input to use this sourcetype). After adding the input, the Manager shows that that input sees 375 files, which is the correct number of files in the shared directory.

But I can't see those files anywhere in search. "backup_files" doesn't show up in the Summary, no words within those files result in hits of a search.

What am I missing?

Tags (2)
0 Karma
Highlighted

Re: Can't search events in newly added "Files&Directories" input

SplunkTrust
SplunkTrust

I would take a look at https://YOURHOST:8089/admin/services/inputstatus.

(Note this is on the management port 8089, not the splunkWeb port 8000)

Just because the input is saying there are files there doesnt necessarily mean they're getting indexed. The inputstatus endpoint can tell you if they're matching blacklist config, or being flagged as binary etc..

It can also happen sometimes that they're getting indexed, but not into the slice of time you might expect based on what Splunk sees in the events. Double check the timerange you're searching over and expand it to 'all time' if necessary.

0 Karma
Highlighted

Re: Can't search events in newly added "Files&Directories" input

Path Finder

I am searching by all-time, and the link you have returns 404.

0 Karma
Highlighted

Re: Can't search events in newly added "Files&Directories" input

Path Finder

8089/services/admin/inputstatus/TailingProcessor:FileStatus worked, though.

I see that the regex I used isn't matching the files (even though I tested it in regex tester ...)

0 Karma
Highlighted

Re: Can't search events in newly added "Files&Directories" input

Path Finder

https://YOURHOST:8089/admin/services/inputstatus/TailingProcessor:FileStatus showed that the RegEx was failing. The Whitelist regex needs to include the path as well as the filename.

View solution in original post

0 Karma