Getting Data In
Highlighted

How can Splunk index a file without a file extension?

Communicator

I have several servers with SQL logs that are in the format:

sqlerror
sqlerror.1
sqlerror.2

I have tried all kinds of wildcard variations, but I cannot get Splunk to index these files. I can see from the internal logs that Splunk says it is watching the file, yet it never indexes any data from it. Anyone face a similar issue?

Highlighted

Re: How can Splunk index a file without a file extension?

SplunkTrust
SplunkTrust

Can you try something like this (assuming files with extension .1/.2 are rollover files and doesn't have to be monitored)

[monitor://D:\Your Path\To Log File\Till TheFolder\Containing The\SQL Logs]
whitelist = sqlerror$
index = yourindex
sourcetype = yoursourcetype
0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

SplunkTrust
SplunkTrust

Does the Splunk user have permission to read the files? Maybe if you check the windows security and application logs, you will find more details such as an access denied, etc.

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

Communicator

It should, it is running under my user and I am able to open the files in question.

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

Motivator

I would think that if the internal logs indicate that it is being watched then permissions "should" be correct - I really hate the word "should" - but Windows permissions could be very funky.

You need some special privileges to run a Windows service as your own userid (and not really recommended anyway), so perhaps those are not all set up. Can you run the service a Local System (or an MSA) to test for different behaviour?

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

SplunkTrust
SplunkTrust

I hate to ask again, but did you check the windows event logs? I know it's cliche but they've seriously saved my butt on more than one occasion only after I said... hmphh there wont be anything in THOSE logs about THIS issue.

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

Communicator

Nothing in the windows logs.

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

Path Finder

Hi,
Splunk definitely doesn't care about file extension in general. You should be able to collect logs with no extension without troubles (I did it many times exactly with sql related files).

I guess your problem is somewhere else, aka the watch on path is correct but there is something else wrong going on. Take a look at this page of the Splunk wiki for troubleshooting the input monitoring process: http://wiki.splunk.com/Community:TroubleshootingMonitorInputs

Hope it helps,
regards

View solution in original post

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

Communicator

I should point out that teh logs in question are SQL server logs if that makes a difference.

0 Karma
Highlighted

Re: How can Splunk index a file without a file extension?

SplunkTrust
SplunkTrust

Point of clarification: When you say "SQL Server Logs" - are we referring to plain text log files about the running of the SQL Server? Or are we talking about Transaction log files?

0 Karma