Solved: Deployment client only partially forwards data

ckunath · ‎04-26-2017

Hello,

I have set up my Splunk Enterprise Instance as deployment-server and designated a forwarder on another machine as its deployment client.
In my $SPLUNK_HOME$/etc/deploymentapps/appname/local/inputs.conf I have these monitors configured:

[monitor:///data/crowd/logs]
disabled = false
index = crowd_dev

[monitor:///data/crowd/tomcat/logs]
disabled = false
index = crowd_dev

[monitor:///data/jenkins/.jenkins/logs]
disabled = false
index = jenkins_dev

[monitor:///data/sonarqube/current/logs]
disabled = false
index = sonarqube_dev

The first two monitors work fine, but for some reason however, I cannot find the logged data from my last two monitors.
The user that is running on the forwarding machine has rx rights on both directories, and I have no problem accessing them via CLI.

When updating the inputs.conf on deployment server side, I use ~/splunk reload deploy-server to update my deployment clients.

Is there something that I may have forgotten? Thanks in advance.

ckunath · ‎04-27-2017

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

View solution in original post

ckunath · ‎04-27-2017

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

somesoni2 · ‎04-26-2017

Try running a ./splunk list monitor to see if those paths are in the monitoring list. Also, check the splunkd.log on the forwarder to see if those paths were added to watch list or gave any error.

ckunath · ‎04-26-2017

They are indeed not on the monitor list despite being in the inputs.conf. Do you have any on how to fix this?

somesoni2 · ‎04-26-2017

What type of files you're monitoring on those folders? May be try giving full path if you're just monitoring files inside the directory you specified in the inputs.conf.

ckunath · ‎04-26-2017

There are simple .log files in those directories.
Now everything went confusing - ./splunk list monitor shows that two monitors are active, but I am not receiving those two on my deployment server anymore .. Are there perhaps any parameters I forgot to set in either the servers or forwarders inputs.conf or outputs.conf?

adonio · ‎04-26-2017

hello ckunath,
is there data under /data/jenkins/.jenkins/logs and /data/sonarqube/current/logs?
do you see errors in splunk _internal index?

ckunath · ‎04-26-2017

Hello adonio,
yes, there is data in both folders.
there are no errors in index=_internal sourcetype=splunkd regarding my problematic monitor-directories sadly.

Deployment client only partially forwards data

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...