Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Data Ingest issues

ChristianF
Explorer
‎09-05-2023 08:42 AM

Howdy Splunkers,

 

Working on my Splunk deployment and ran into a funky issue. I am ingesting Palo Alto FW and Meraki network device logs via syslog server. Rsyslog is set to write logs down to a file and the UF is set to monitor the directories.

 

No issues there, however I do run into an issue why I try to source type or set an index for these logs. I have edited the indexes.conf in the local folder on my cluster manager and pushed the required indexes to my indexers.  When I go to search for the logs on my search head I cannot find any data. However it works properly whenever i do not have sourcetyping and index destination in my inputs.conf.

Any idea as to why?

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ChristianF
Explorer
‎09-06-2023 05:17 AM

I actually ended up resolving the issue myself, I didn't have my indexes.conf file on my search head which didn't allow me to see the data on my cluster.

View solution in original post

Reply
Solved! Jump to solution

Manojbh_splunk
Loves-to-Learn
‎09-05-2023 02:05 PM

Are you monitoring the path where the logs are written in the UF.

can you share your inputs.conf ? this will help you check further.

0 Karma
Reply
Solved! Jump to solution
Solution

ChristianF
Explorer
‎09-06-2023 05:17 AM

I actually ended up resolving the issue myself, I didn't have my indexes.conf file on my search head which didn't allow me to see the data on my cluster.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2023 08:52 AM

Lack of indexes.conf on SH results only in lack of auto-completion in the search edit window. You still can manually write which index you want to search and it works.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-05-2023 01:27 PM

We need more info. Especially relevant configs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...