How to debug why a universal forwarder is parsing ...

jvmerilla · ‎07-29-2019

Hi Everyone,

I am trying to monitor xml files from a directory in a certain server. But for some unknown reason/s no data is coming in.

I have tried different path in the inputs.conf assuming that the provided path is not correct.

As I check on the _internal logs, I can see the following events will all the paths I have in my inputs.conf. However, there's still no data ingested.

TailingProcessor - Adding watch on path: <path1>
TailingProcessor - Adding watch on path: <path2>
TailingProcessor - Adding watch on path: <path3>
TailingProcessor - Parsing configuration stanza: monitor:<path1>
TailingProcessor - Parsing configuration stanza: monitor:<path2>
TailingProcessor - Parsing configuration stanza: monitor:<path3>

What could be error in this?

Hope someone could help me with this.

Thanks in advance!

harsmarvania57 · ‎07-30-2019

If you are using Splunk UF 6.3+ then you can use below command on UF to check monitoring status of various files.

$SPLUNK_HOME/bin/splunk list inputstatus

jvmerilla · ‎07-30-2019

Hi @harsmarvania57,

Thanks for your comment.
Unfortunately, we do not have access on the server.
Hopefully, we will be given access so we can check.

Thanks again!

woodcock · ‎07-29-2019

You need to show us the inputs.conf file, at a minimum. The more/better information that you provide, the better we can help you.

jvmerilla · ‎07-30-2019

Hi @woodcock,
Below is a sample of the inputs.conf

[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\]
whitelist=.*\.xml
disabled = false
index = test_index
sourcetype = test_srctype

[monitor://G:\rcad.net\dfs\TEST\SAMPLE\PROD\BTS-TEST-Testing-PROD-NAV\ERROR\*.xml]
disabled = false
index = test_index
sourcetype = test_srctype

I have tried using whitelist but it still does not work.

How to debug why a universal forwarder is parsing files from paths but no data is ingested?