I have a file in production that appears to not be indexed as running a search for
index=<name> returns no results. The file has no header and has the following field format.
2016-04-05 02:51:05.4457|Error|Error receiving response: Connection timeout
I have tested this file on my locally installed instance by replacing the first pipe with a space as to isolate the time field as such.
2016-04-05 02:51:05.4457 Error|Error receiving response: Connection timeout
This worked on my local instance. However, I am unable to modify the production file. Is there a way to mimic this change through settings to work on the production file?
I created a new .txt file and copied a couple logs over to the new file. I then added another stanza to monitor that file, and the new file was indexed but not the old. I have tried .txt and .log suffixes. Here is the current
[monitor://C:\Program Files (x86)\Sell\LPClient.txt] index = LP sourcetype = LPClient_log disabled = 0 [monitor://C:\Program Files (x86)\Sell\NewTextDocument.txt] index = LP sourcetype = LPClient_log disabled = 0
index=_internal sourcetype=splunkd host=<hostname> *<filename>* and see what is returned.
You might see something like this:
09-14-2016 21:50:06.008 +0000 INFO TailingProcessor - Ignoring file '/var/log/folder/file.log' due to: binary
A few things:
TIME_FORMAT = %Y-%m-%din props.conf for the source