Deployment Architecture

oneshot events not in index --- ooops problem solved

reswob4
Builder

I'm trying to use oneshot on a Windows HF to test some data. Here is the command and the result:

C:>"Program Files\Splunk\bin\splunk.exe" add oneshot \Tools\1dns.log -index test_dns
Oneshot 'C:\Tools\1dns.log' added

But when I do I search:

index=test_dns

I get no results.

I've repeated the oneshot multiple times.

I found this link: https://answers.splunk.com/answers/41990/how-long-to-wait-after-splunk-add-oneshot-before-doing-sear...

And when I checked the tailing processor page, of the HF, it showed all the other files it had or was continuing to ingest, but not 1dns.log.

I searched the _internal index for that file to see if there were any errors and the one most prevalent is:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

---- Ah, searched on the date in the error above and found all my events.

Back to working to fix my props.conf.

0 Karma
1 Solution

reswob4
Builder

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

View solution in original post

0 Karma

gmjATredjack
Engager

Also be sure to check the time range of your search. If you're seeing nothing, and no errors, try "All TIme"

0 Karma

reswob4
Builder

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@reswob4 - It looks like you're attempting to share how you found a solution to your issue, right? If so, can you please put how you found your solution in an a separate answer below and "Accept" it? That way others can easily find it if they are running into the same problem. Thanks for sharing the with community!

0 Karma

adonio
Ultra Champion

Hey reswob4,
try this: from C:\Program Files\Splunk\bin\
run this: splunk add oneshot -source \Tools\1dns.log -index test_dns

make sure the file in the exact full path, you probably need to specify C:\directory\directory\path\to\file
or copy paste from the windows explorer
example from docs here:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorfilesanddirectoriesusingtheCLI#Exampl...

hope it helps

Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...