Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Cant find data added through inputs.conf

vaishnavi07
Explorer
‎11-13-2014 10:17 PM

I tried adding the data through inputs.conf. I am trying to add sample log file from my system to the splunk server. I added the below code to inputs.conf and restarted the server but i dont find any data in my index.

[monitor://C:\Windows\WindowsUpdate.log]
disabled=0
index=windowsupdate_test
sourcetype=windowsupdate

Does anyone know what may be the issue here? Thanks in advance.

Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎11-16-2014 04:30 AM

Hi Vaishavai07,

May I know Operating system of the forwarder splunk instance and Receiver splunk instance ( Indexer)?,hi vaishnavi,
may I know from which OS you want to get the data in? OR OS of the forwarder?
on which OS u have installed splunk server? OR OS of the Indexer(Receiver)?

OS - operating SYstem

————————————
If this helps, give a like below.
0 Karma
Reply

vaishnavi07
Explorer
‎11-16-2014 08:39 AM

Splunk is installed on linux machine. I am only trying to add the file by adding stanza in inputs.Conf but it is showing error as pathbis not absolute.

0 Karma
Reply

MuS
Legend
‎11-17-2014 12:29 AM

You cannot add a windows path as input on a lunix server. If you just want to index the file, copy it over to this directory on the Splunk Indexer $SPLUNK_HOME/var/spool/splunk everything in there will be indexed automatically.

Reply

splunker12er
Motivator
‎11-13-2014 11:01 PM

Did you search for all time?
Did you see any errors at splunkd.log ?
Are you using universal forwarder ?
- Check for the outputs.conf file for the correct IP of the indexer your are forwarding .

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:18 PM

Yes i searched for all time. I only need to add data into my server. For now i am not forwarding the data to any othere server.

0 Karma
Reply

MuS
Legend
‎11-13-2014 10:58 PM

Hi vaishnavi07,

there is a long list of possible issues here:

  • does the user running splunk have read rights on this file?
  • can you reach the index server from the UF (if you're using an UF, which is an universal forwarder)?
  • did you check on the source, where you changed the inputs.conf, in $SPLUNK_HOME\var\log\splunk\splunkd.log for any errors?
  • did you do an all time search on the index=windowsupdate_test ?
  • do you have the permission do search this index?
  • does this index exist?
  • typos anywhere?
  • .......

hope this helps to get you started

cheers, MuS

Reply

vaishnavi07
Explorer
‎11-14-2014 08:48 AM

Yes am running on linux. Is it not the format?

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:30 PM

it is located in $SPLUNK_HOME$/etc/system/local. I checked for the typos but everything is fine.Whatever i have posted in the question is what i have given there.

0 Karma
Reply

MuS
Legend
‎11-13-2014 11:36 PM

run $SPLUNK_HOME\bin\splunk cmd btool --debug inputs list monitor and check if your monitor stanza is listed

0 Karma
Reply

vaishnavi07
Explorer
‎11-14-2014 01:13 AM

When i run the command it shows that $SPLUNK_HOME should be set. But when i checked in splunk-launch.conf the SPLUNK_HOME is set correctly.

0 Karma
Reply

vaishnavi07
Explorer
‎11-14-2014 02:16 AM

When i check splunkd.log it is showing error as path is not aboslute.

0 Karma
Reply

jrodman
Splunk Employee
Splunk Employee
‎11-14-2014 07:55 AM

For a monitor line such as
[monitor://C:\Windows\WindowsUpdate.log] you will get an error that it is not absolute if you are running on UNIX. Are you running on UNIX?

0 Karma
Reply

vaishnavi07
Explorer
‎11-15-2014 07:41 PM

Hi Jrodman. Can you tell me the format as to how i should provide the path?

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:10 PM

When i try adding the same file through UI page it is working. But when i add it through inputs.conf i am not getting the data.

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:23 PM

Yes that is fine. Even when i add new data it is not getting added. Anything through inputs.conf is not adding.

0 Karma
Reply

MuS
Legend
‎11-13-2014 11:25 PM

where is this inputs.conf located? check for typos in that file

0 Karma
Reply

MuS
Legend
‎11-13-2014 11:18 PM

you are aware the fact, that once indexed data will not be re-indexed by Splunk simply because you add once again using a different method? You have to clean the so called fishbucket first, this is where Splunk saves what already was indexed.

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:08 PM

The index name is also not there in the splunkd.log. Does this mean there are no errors or it dint add the data at all?

0 Karma
Reply

MuS
Legend
‎11-13-2014 11:16 PM

did you created an index called windows update_test?

0 Karma
Reply

vaishnavi07
Explorer
‎11-13-2014 11:06 PM

Yes i have read rights on the file. I checked in splunkd.log and there are no entries in it. And also i did an All time search on the index. I have admin rights on the server and i have write permissions on this index.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top