HI Team,
I am facing an issue with few of the servers which client had request to on-board new set of log data into splunk. We had deployed the monitoring stanza & Parsing stanza by updating an existing app and app was successfully deployed into their respective servers. But we are unable to see the data ingest happening from the new monitoring stanza in Splunk. When troubleshooting could see this INFO related to the monitoring stanza in _internal logs. Apart from this is INFO, there is no other messages or Events related to the below source found in the _internal logs.
Monitoring Stanza details
[monitor:///usr/local/tet/t12/var/was/log/server.log]
sourcetype = usr:genericapp:server
index = test_index
disabled = 0
ignoreOlderThan = 14d
Parsing stanza:
[usr:genericapp:wfserver]
NO_BINARY_CHECK=true
LINE_BREAKER=([\r\n]+)\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\.\d{3}
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD= 23
SHOULD_LINEMERGE=false
internal logs:
1:40:04.292 PM
02-25-2022 13:40:04.292 +0000 INFO TailingProcessor - Parsing configuration stanza: monitor:///usr/local/tet/t12/var/was/log/server.log
Kindly guide me to fix this .
Hey @Hemnaath,
The INFO log you are seeing doesn't seem to be a warning. Can you run the below command on the forwarder and check if the file has been monitored or not.
$SPLUNK_HOME/bin/splunk list inputstatus
That can be considered as the first step to troubleshoot monitor inputs.
Getting the below message when I run the command
$SPLUNK_HOME/bin/splunk list inputstatus
This command [GET /services/admin/inputstatus] needs splunkd to be up, and splunkd is down.
Checked the splunk services are up and running.
same problem your issues is resolved with that or not,
Please provide steps to troubleshoot that problem
Is the issue fixed?