Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

oneshot events not in index --- ooops problem solved

reswob4
Builder
‎04-21-2017 11:30 AM

I'm trying to use oneshot on a Windows HF to test some data. Here is the command and the result:

C:>"Program Files\Splunk\bin\splunk.exe" add oneshot \Tools\1dns.log -index test_dns
Oneshot 'C:\Tools\1dns.log' added

But when I do I search:

index=test_dns

I get no results.

I've repeated the oneshot multiple times.

I found this link: https://answers.splunk.com/answers/41990/how-long-to-wait-after-splunk-add-oneshot-before-doing-sear...

And when I checked the tailing processor page, of the HF, it showed all the other files it had or was continuing to ingest, but not 1dns.log.

I searched the _internal index for that file to see if there were any errors and the one most prevalent is:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

---- Ah, searched on the date in the error above and found all my events.

Back to working to fix my props.conf.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

reswob4
Builder
‎04-21-2017 11:47 AM

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

anwarmian
Communicator
‎09-07-2024 09:45 AM

Specify the sourcetype at the oneshot command and have a props.conf with the following paramers set.  The TIME parameters will take care of your timestamp issue.  Make sure to restart the splunkd service after adding the props.conf.

[sourcetypename]
LINE_BREAKER
TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TRUNCATE
SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true

0 Karma
Reply
Solved! Jump to solution

gmjATredjack
Engager
‎12-02-2019 06:27 AM

Also be sure to check the time range of your search. If you're seeing nothing, and no errors, try "All TIme"

0 Karma
Reply
Solved! Jump to solution
Solution

reswob4
Builder
‎04-21-2017 11:47 AM

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-21-2017 11:42 AM

@reswob4 - It looks like you're attempting to share how you found a solution to your issue, right? If so, can you please put how you found your solution in an a separate answer below and "Accept" it? That way others can easily find it if they are running into the same problem. Thanks for sharing the with community!

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-21-2017 11:36 AM

Hey reswob4,
try this: from C:\Program Files\Splunk\bin\
run this: splunk add oneshot -source \Tools\1dns.log -index test_dns

make sure the file in the exact full path, you probably need to specify C:\directory\directory\path\to\file
or copy paste from the windows explorer
example from docs here:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorfilesanddirectoriesusingtheCLI#Exampl...

hope it helps

Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...