Getting Data In
Highlighted

ERROR TailingProcessor - Ignoring path due to: This key could not be found : _MetaData:Index

Contributor

I checked out the new Universal Forwarder and ran into some problems that I dont understand.
First I configured the forwarder by creating a "output.conf" and "input.conf" in /opt/splunkforwarder/etc/system/local.

The content of output.conf:

[tcpout:indexerNeo]

server=mapache.server.org:55515

The content of input.conf:

[monitor:///var/log/apache2/modsec_audit.log]

sourcetype=modsec

I got some errors in the splunkd.log that I dont understand:

05-03-2011 15:35:14.993 +0000 WARN TcpOutputProc - Pipeline data does not have indexKey. [path] = /var/log/apache2/modsecaudit.log

[startOffset] = 38875

[
fnameCrc] = 9536363811639999154

[seekCrc] = 8646198035968417993

[
fishKey] = 15451249598830936081

[modTime] = 1304436775

[
raw] =

[MetaData:Source] = source::/var/log/apache2/modsecaudit.log

[MetaData:Host] = host::s152188.onlinehome-server.info

[MetaData:Sourcetype] = sourcetype::modsec

[
done] = done

[
hpn] = hpn

[
conf] = source::/var/log/apache2/modsec_audit.log|host::s152188.onlinehome-server.info|modsec|

05-03-2011 15:35:16.714 +0000 ERROR TailingProcessor - Ignoring path due to: This key could not be   found : _MetaData:Index

Is there anybody who can help me?

0 Karma
Highlighted

Re: ERROR TailingProcessor - Ignoring path due to: This key could not be found : _MetaData:Index

Contributor

Ok, I did it. I had to set an index to write the input to.

I added and index and then the line in "input.conf" file:

[monitor:///var/log/apache2/modsec_audit.log]

sourcetype=modsec

index=modsec

View solution in original post