Solved: Data Ingest issues

ChristianF · ‎09-05-2023

Howdy Splunkers,

Working on my Splunk deployment and ran into a funky issue. I am ingesting Palo Alto FW and Meraki network device logs via syslog server. Rsyslog is set to write logs down to a file and the UF is set to monitor the directories.

No issues there, however I do run into an issue why I try to source type or set an index for these logs. I have edited the indexes.conf in the local folder on my cluster manager and pushed the required indexes to my indexers. When I go to search for the logs on my search head I cannot find any data. However it works properly whenever i do not have sourcetyping and index destination in my inputs.conf.

Any idea as to why?

ChristianF · ‎09-06-2023

I actually ended up resolving the issue myself, I didn't have my indexes.conf file on my search head which didn't allow me to see the data on my cluster.

View solution in original post

Manojbh_splunk · ‎09-05-2023

Are you monitoring the path where the logs are written in the UF.

can you share your inputs.conf ? this will help you check further.

ChristianF · ‎09-06-2023

I actually ended up resolving the issue myself, I didn't have my indexes.conf file on my search head which didn't allow me to see the data on my cluster.

PickleRick · ‎09-06-2023

Lack of indexes.conf on SH results only in lack of auto-completion in the search edit window. You still can manually write which index you want to search and it works.

PickleRick · ‎09-05-2023

We need more info. Especially relevant configs.

Data Ingest issues

indexer

inputs.conf

universal forwarder

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...