Getting Data In

How to set the path for specific log?

balcv
Contributor

I have a group of 6 hosts logging into splunk but I am having trouble getting the specific log files in.  An example of the path and file is:

/opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/20220817205900_iC1V4/resuming_20220817205900_iC1V4.log

Both the last directory name and the log filename are always going to be different each time a log is generated so I'm trying to use wildcards such as /opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/*/*.log but this is not working.  My $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf file in the looks like this:

[monitor:///opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/.../*.log]
disabled = 0

Any suggestions as to why this does not work and what I should use or try?

Many thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@balcv - I do not see any reason why it should not collect the logs but I can give you a few pointers for troubleshooting.

  • Make sure you are deploying this on a forwarder where the log files exist (as I can see inputs.conf file is under deployment-apps.)
  • Make sure you have UF splunkd restart enabled for Splunk_TA_nix App on Forwarder management.
  • On that forwarder make sure you got the latest deployed inputs.conf file under $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  • Look at any errors in splunkd.log file for the forwarder machine.

 

I hope this helps!!! Upvote would be appreciated!!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@balcv - I do not see any reason why it should not collect the logs but I can give you a few pointers for troubleshooting.

  • Make sure you are deploying this on a forwarder where the log files exist (as I can see inputs.conf file is under deployment-apps.)
  • Make sure you have UF splunkd restart enabled for Splunk_TA_nix App on Forwarder management.
  • On that forwarder make sure you got the latest deployed inputs.conf file under $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  • Look at any errors in splunkd.log file for the forwarder machine.

 

I hope this helps!!! Upvote would be appreciated!!!

PickleRick
SplunkTrust
SplunkTrust

And of course verify that your forwarder is able to read those files and directories!

There are so many hours lost on debugging ingestion problems which at the end turn out to be just forwarder user not having rights to read the file 😉

isoutamo
SplunkTrust
SplunkTrust

Just 

sudo -u <your splunk UF user> bash
ls -Fla /path/to/the/dir/where/files/are
tail <one file on that dir>

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...