Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Deployment client only partially forwards data

ckunath
Communicator
‎04-26-2017 06:55 AM

Hello,

I have set up my Splunk Enterprise Instance as deployment-server and designated a forwarder on another machine as its deployment client.
In my $SPLUNK_HOME$/etc/deploymentapps/appname/local/inputs.conf I have these monitors configured:

[monitor:///data/crowd/logs]
disabled = false
index = crowd_dev

[monitor:///data/crowd/tomcat/logs]
disabled = false
index = crowd_dev

[monitor:///data/jenkins/.jenkins/logs]
disabled = false
index = jenkins_dev

[monitor:///data/sonarqube/current/logs]
disabled = false
index = sonarqube_dev

The first two monitors work fine, but for some reason however, I cannot find the logged data from my last two monitors.
The user that is running on the forwarding machine has rx rights on both directories, and I have no problem accessing them via CLI.

When updating the inputs.conf on deployment server side, I use ~/splunk reload deploy-server to update my deployment clients.

Is there something that I may have forgotten? Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ckunath
Communicator
‎04-27-2017 04:55 AM

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ckunath
Communicator
‎04-27-2017 04:55 AM

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-26-2017 07:22 AM

Try running a ./splunk list monitor to see if those paths are in the monitoring list. Also, check the splunkd.log on the forwarder to see if those paths were added to watch list or gave any error.

Reply
Solved! Jump to solution

ckunath
Communicator
‎04-26-2017 07:49 AM

They are indeed not on the monitor list despite being in the inputs.conf. Do you have any on how to fix this?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎04-26-2017 07:54 AM

What type of files you're monitoring on those folders? May be try giving full path if you're just monitoring files inside the directory you specified in the inputs.conf.

Reply
Solved! Jump to solution

ckunath
Communicator
‎04-26-2017 11:37 PM

There are simple .log files in those directories.
Now everything went confusing - ./splunk list monitor shows that two monitors are active, but I am not receiving those two on my deployment server anymore .. Are there perhaps any parameters I forgot to set in either the servers or forwarders inputs.conf or outputs.conf?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-26-2017 07:16 AM

hello ckunath,
is there data under /data/jenkins/.jenkins/logs and /data/sonarqube/current/logs?
do you see errors in splunk _internal index?

Reply
Solved! Jump to solution

ckunath
Communicator
‎04-26-2017 07:21 AM

Hello adonio,
yes, there is data in both folders.
there are no errors in index=_internal sourcetype=splunkd regarding my problematic monitor-directories sadly.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...