Getting Data In

Help with monitoring stanza


Below are the files to monitor


Below is the stanza I am using


Is this the correct monitor stanza or am I doing something wrong?

0 Karma

Esteemed Legend

The stanza is correct but did you assign a sourcetype=foo and index=bar under it so that you know where to look for the data?

0 Karma


If that stanza results in those files being monitored, then the stanza is correct. If the files are not monitored, then something is amiss and you should share the entire stanza.

If this reply helps you, an upvote would be appreciated.
0 Karma


index = main
sourcetype = db_health

The above stanza is from the deployment server and below is the event from the internal logs for that host

03-19-2019 14:01:47.251 -0400 INFO WatchedFile - Will begin reading at offset=522894 for file='/var/log/cbsensor/cbdaemon.ORCLPRODSS1-AZ3.invalid-user.log.INFO.20190318-103119.10963

0 Karma

Ultra Champion

Oh, you should look for something like -

-- 03-16-2019 23:00:00.089 -0500 INFO WatchedFile - Will begin reading at offset=0 for file='/Backup/HealthCheck/Reports/CBA_HC_Mar_19_19_08_27_03.log'.

Your monitor stanza looks just fine.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!