Getting Data In

Deployment client only partially forwards data

ckunath
Communicator

Hello,

I have set up my Splunk Enterprise Instance as deployment-server and designated a forwarder on another machine as its deployment client.
In my $SPLUNK_HOME$/etc/deploymentapps/appname/local/inputs.conf I have these monitors configured:

[monitor:///data/crowd/logs]
disabled = false
index = crowd_dev

[monitor:///data/crowd/tomcat/logs]
disabled = false
index = crowd_dev

[monitor:///data/jenkins/.jenkins/logs]
disabled = false
index = jenkins_dev

[monitor:///data/sonarqube/current/logs]
disabled = false
index = sonarqube_dev

The first two monitors work fine, but for some reason however, I cannot find the logged data from my last two monitors.
The user that is running on the forwarding machine has rx rights on both directories, and I have no problem accessing them via CLI.

When updating the inputs.conf on deployment server side, I use ~/splunk reload deploy-server to update my deployment clients.

Is there something that I may have forgotten? Thanks in advance.

0 Karma
1 Solution

ckunath
Communicator

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

View solution in original post

0 Karma

ckunath
Communicator

I found the solution to my own problem.

I forgot to put the inputs.conf for my forwarders in a deployment-app, and then set it to enable on each forwarder after pushing it...
That's why it would not work. Ha!

0 Karma

somesoni2
Revered Legend

Try running a ./splunk list monitor to see if those paths are in the monitoring list. Also, check the splunkd.log on the forwarder to see if those paths were added to watch list or gave any error.

ckunath
Communicator

They are indeed not on the monitor list despite being in the inputs.conf. Do you have any on how to fix this?

0 Karma

somesoni2
Revered Legend

What type of files you're monitoring on those folders? May be try giving full path if you're just monitoring files inside the directory you specified in the inputs.conf.

ckunath
Communicator

There are simple .log files in those directories.
Now everything went confusing - ./splunk list monitor shows that two monitors are active, but I am not receiving those two on my deployment server anymore .. Are there perhaps any parameters I forgot to set in either the servers or forwarders inputs.conf or outputs.conf?

0 Karma

adonio
Ultra Champion

hello ckunath,
is there data under /data/jenkins/.jenkins/logs and /data/sonarqube/current/logs?
do you see errors in splunk _internal index?

ckunath
Communicator

Hello adonio,
yes, there is data in both folders.
there are no errors in index=_internal sourcetype=splunkd regarding my problematic monitor-directories sadly.

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...