Deployment Architecture

oneshot events not in index --- ooops problem solved

reswob4
Builder

I'm trying to use oneshot on a Windows HF to test some data. Here is the command and the result:

C:>"Program Files\Splunk\bin\splunk.exe" add oneshot \Tools\1dns.log -index test_dns
Oneshot 'C:\Tools\1dns.log' added

But when I do I search:

index=test_dns

I get no results.

I've repeated the oneshot multiple times.

I found this link: https://answers.splunk.com/answers/41990/how-long-to-wait-after-splunk-add-oneshot-before-doing-sear...

And when I checked the tailing processor page, of the HF, it showed all the other files it had or was continuing to ingest, but not 1dns.log.

I searched the _internal index for that file to see if there were any errors and the one most prevalent is:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

---- Ah, searched on the date in the error above and found all my events.

Back to working to fix my props.conf.

0 Karma
1 Solution

reswob4
Builder

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

View solution in original post

0 Karma

anwarmian
Communicator

Specify the sourcetype at the oneshot command and have a props.conf with the following paramers set.  The TIME parameters will take care of your timestamp issue.  Make sure to restart the splunkd service after adding the props.conf.

[sourcetypename]
LINE_BREAKER
TIME_PREFIX
MAX_TIMESTAMP_LOOKAHEAD
TIME_FORMAT
TRUNCATE
SHOULD_LINEMERGE = false # LINE_BREAKER should be properly set so you can keep SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true

0 Karma

gmjATredjack
Engager

Also be sure to check the time range of your search. If you're seeing nothing, and no errors, try "All TIme"

0 Karma

reswob4
Builder

Thanks for the tip @adonio, the source defaulted to what you suggested. I may need to specify the sourcetype, but the main problem seems to be my timestamp.

To repeat what I said above:

I searched the _internal index for that file to see if there were any errors and the one most prevalent was:

0400 WARN DateParserVerbose - Failed to parse timestamp. Defaulting to timestamp of previous event (Sun Apr 16 08:06:17 2017). Context: source::C:\Tools\1dns.log|host::SPLUNK-04|DNS|9

I searched the test_dns index specifically on the date in the error above and found all my events.

Back to working to fix my props.conf to fix the timestamp problem.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@reswob4 - It looks like you're attempting to share how you found a solution to your issue, right? If so, can you please put how you found your solution in an a separate answer below and "Accept" it? That way others can easily find it if they are running into the same problem. Thanks for sharing the with community!

0 Karma

adonio
Ultra Champion

Hey reswob4,
try this: from C:\Program Files\Splunk\bin\
run this: splunk add oneshot -source \Tools\1dns.log -index test_dns

make sure the file in the exact full path, you probably need to specify C:\directory\directory\path\to\file
or copy paste from the windows explorer
example from docs here:
https://docs.splunk.com/Documentation/Splunk/6.5.3/Data/MonitorfilesanddirectoriesusingtheCLI#Exampl...

hope it helps

Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...