Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to debug why a universal forwarder is reading all log files except one?

darthsplunk
Explorer
‎10-23-2014 08:50 AM

Hello,

I have configured inputs.conf on a universal forwarder. The file contains around 20 entries for log files, however one of them is not being read by Splunk.

Within splunkd I can see:

10-23-2014 14:59:17.762 +0100 INFO  TailingProcessor - Parsing configuration stanza: monitor://C:\my\dir\logfile.log.

I would then expect to see:

TailingProcessor - Adding watch on path for file <…>

and

WatchedFile - Will begin reading at offset=61873 for file <…>

But I never see this. I have performed the following debug steps:

How can I debug this further? The universalforwarder is sending data from other log files on this host ok so it isn't a connection issue.

Any help is appreciated.

Thanks,
DS

Reply
1 Solution
Solved! Jump to solution
Solution

darthsplunk
Explorer
‎02-24-2015 08:20 AM

It turned out to be an issue with other entries in the inputs.conf where wildcards were in use. These were corrected and the inputs work as expected. Thanks all.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-26-2017 02:26 AM

I have same problem. Plz let's show me how do you fix it. thanks

0 Karma
Reply
Solved! Jump to solution
Solution

darthsplunk
Explorer
‎02-24-2015 08:20 AM

It turned out to be an issue with other entries in the inputs.conf where wildcards were in use. These were corrected and the inputs work as expected. Thanks all.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎10-23-2014 10:07 PM

Adding watch on path is for the common parent of the monitored locations. Do you have monitors on directories that are above that location, such as c:\my or c:\my\dir? What is the set of directories that you see for these lines? What is the set of monitor stanzas that you have?

Do you have any messages relating to logfile.log in splunkd.log at all?

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-23-2014 02:56 PM

You should search the _internal index for any reference to the log file name in question. Some issues I have seen in the field are: thruput set to low (forwarder is not able to consume the log before it rolls), permissions issues (splunk doesn't have read access to the log file.)

What is the version of Splunk forwarder in question?

Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎10-23-2014 09:29 AM

Check file level permissions and make sure the user splunk is running as can read/execute on those files.

Additionally, is this a distributed environment? If so, what does your outputs.conf look like?

Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...