Getting Data In

How to debug why a universal forwarder is parsing files from paths but no data is ingested?

jvmerilla
Path Finder

Hi Everyone,

I am trying to monitor xml files from a directory in a certain server. But for some unknown reason/s no data is coming in.

I have tried different path in the inputs.conf assuming that the provided path is not correct.

As I check on the _internal logs, I can see the following events will all the paths I have in my inputs.conf. However, there's still no data ingested.

TailingProcessor - Adding watch on path: <path1>
TailingProcessor - Adding watch on path: <path2>
TailingProcessor - Adding watch on path: <path3>
TailingProcessor - Parsing configuration stanza: monitor:<path1>
TailingProcessor - Parsing configuration stanza: monitor:<path2>
TailingProcessor - Parsing configuration stanza: monitor:<path3>

What could be error in this?

Hope someone could help me with this.

Thanks in advance!

Tags (1)
0 Karma

harsmarvania57
Ultra Champion

If you are using Splunk UF 6.3+ then you can use below command on UF to check monitoring status of various files.

$SPLUNK_HOME/bin/splunk list inputstatus
0 Karma

jvmerilla
Path Finder

Hi @harsmarvania57,

Thanks for your comment.
Unfortunately, we do not have access on the server.
Hopefully, we will be given access so we can check.

Thanks again!

0 Karma

woodcock
Esteemed Legend

You need to show us the inputs.conf file, at a minimum. The more/better information that you provide, the better we can help you.

0 Karma

jvmerilla
Path Finder

Hi @woodcock,
Below is a sample of the inputs.conf

[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\]
whitelist=.*\.xml
disabled = false
index = test_index
sourcetype = test_srctype

[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\*.xml]
disabled = false
index = test_index
sourcetype = test_srctype 

I have tried using whitelist but it still does not work.

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...