Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

files not being indexed

a212830
Champion
‎05-07-2013 08:56 AM

Hi,

I have a set of logfiles that I can't get indexed. I am getting some files, but not others.

Here's my inputs.conf. There are 3 types of files - SystemOut.log, SystemErr.log (which aren't working) and trace.log (which is working). The System log files exist, are recent, and I can access them, but they aren't showing up on my system. The trace files are showing up. The files exist in subdirectories below the ..profiles directory. I can't see any issues. Is this inputs correct? 

[monitor://F:\IBM\WebSphere\AppServer\profiles]
recursive = true
sourcetype = STGWProfileLogs_system
index = euc_sametimedata
crcSalt = <SOURCE>  
whitelist = SystemOut.log|SystemErr.log
ignoreOlderThan = 30d

[monitor://F:\IBM\WebSphere\AppServer\profiles]
recursive = true
sourcetype = STGWProfileLogs_trace
index = euc_sametimedata
crcSalt = <SOURCE>
whitelist = trace.log
Tags (2)
0 Karma
Reply

sbrant_splunk
Splunk Employee
Splunk Employee
‎05-09-2013 11:21 AM

You might want to give alwaysOpenFile = 1 a try.

From the docs: http://docs.splunk.com/Documentation/Splunk/5.0.2/admin/Inputsconf

alwaysOpenFile = [0|1]

  • Opens a file to check whether it has already been indexed.
    • Only useful for files that don't update modtime.
    • Only needed when monitoring files on Windows, mostly for IIS logs.
    • This flag should only be used as a last resort, as it increases load and slows down indexing.
    • Defaults to 0.
0 Karma
Reply

jdunlea_splunk
Splunk Employee
Splunk Employee
‎05-07-2013 01:30 PM

The whitelist that you have specified is not escaping the "." in the filename.

I think your whitelist should have back slashes before the .log

EG:

alt text

0 Karma
Reply

a212830
Champion
‎05-09-2013 10:46 AM

Didn't do it. I'm baffled. I've tried a number of different variations. My latest, which I think should work: (this is windows). The file is there, and I can edit it.

[monitor://F:\IBM\WebSphere\AppServer\profiles...\logs\System(Out|Err).log]
sourcetype = STMeetingProfileLogs_system
index = euc_sametimedata
crcSalt =

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...