Getting Data In

Deployment client only partially forwards data

ckunath
Communicator

Hello,

I have set up my Splunk Enterprise Instance as deployment-server and designated a forwarder on another machine as its deployment client.
In my $SPLUNK_HOME$/etc/deploymentapps/appname/local/inputs.conf I have these monitors configured:

[monitor:///data/crowd/logs]
disabled = false
index = crowd_dev

[monitor:///data/crowd/tomcat/logs]
disabled = false
index = crowd_dev

[monitor:///data/jenkins/.jenkins/logs]
disabled = false
index = jenkins_dev

[monitor:///data/sonarqube/current/logs]
disabled = false
index = sonarqube_dev

The first two monitors work fine, but for some reason however, I cannot find the logged data from my last two monitors.
The user that is running on the forwarding machine has rx rights on both directories, and I have no problem accessing them via CLI.

When updating the inputs.conf on deployment server side, I use ~/splunk reload deploy-server to update my deployment clients.

Is there something that I may have forgotten? Thanks in advance.

0 Karma
1 Solution

ckunath
Communicator

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

View solution in original post

0 Karma

ckunath
Communicator

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try running a ./splunk list monitor to see if those paths are in the monitoring list. Also, check the splunkd.log on the forwarder to see if those paths were added to watch list or gave any error.

ckunath
Communicator

They are indeed not on the monitor list despite being in the inputs.conf. Do you have any on how to fix this?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

What type of files you're monitoring on those folders? May be try giving full path if you're just monitoring files inside the directory you specified in the inputs.conf.

ckunath
Communicator

There are simple .log files in those directories.
Now everything went confusing - ./splunk list monitor shows that two monitors are active, but I am not receiving those two on my deployment server anymore .. Are there perhaps any parameters I forgot to set in either the servers or forwarders inputs.conf or outputs.conf?

0 Karma

adonio
Ultra Champion

hello ckunath,
is there data under /data/jenkins/.jenkins/logs and /data/sonarqube/current/logs?
do you see errors in splunk _internal index?

ckunath
Communicator

Hello adonio,
yes, there is data in both folders.
there are no errors in index=_internal sourcetype=splunkd regarding my problematic monitor-directories sadly.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...