Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to set the path for specific log?

balcv
Contributor
‎08-21-2022 06:46 PM

I have a group of 6 hosts logging into splunk but I am having trouble getting the specific log files in.  An example of the path and file is:

/opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/20220817205900_iC1V4/resuming_20220817205900_iC1V4.log

Both the last directory name and the log filename are always going to be different each time a log is generated so I'm trying to use wildcards such as /opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/*/*.log but this is not working.  My $SPLUNK_HOME/etc/deployment-apps/Splunk_TA_nix/local/inputs.conf file in the looks like this:

[monitor:///opt/TalendRemoteEngine/TalendJobServersFiles/jobexecutions/logs/.../*.log]
disabled = 0

Any suggestions as to why this does not work and what I should use or try?

Many thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-21-2022 10:30 PM

@balcv - I do not see any reason why it should not collect the logs but I can give you a few pointers for troubleshooting.

  • Make sure you are deploying this on a forwarder where the log files exist (as I can see inputs.conf file is under deployment-apps.)
  • Make sure you have UF splunkd restart enabled for Splunk_TA_nix App on Forwarder management.
  • On that forwarder make sure you got the latest deployed inputs.conf file under $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  • Look at any errors in splunkd.log file for the forwarder machine.

 

I hope this helps!!! Upvote would be appreciated!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

VatsalJagani
SplunkTrust
SplunkTrust
‎08-21-2022 10:30 PM

@balcv - I do not see any reason why it should not collect the logs but I can give you a few pointers for troubleshooting.

  • Make sure you are deploying this on a forwarder where the log files exist (as I can see inputs.conf file is under deployment-apps.)
  • Make sure you have UF splunkd restart enabled for Splunk_TA_nix App on Forwarder management.
  • On that forwarder make sure you got the latest deployed inputs.conf file under $SPLUNK_HOME/etc/apps/Splunk_TA_nix/local/inputs.conf.
  • Look at any errors in splunkd.log file for the forwarder machine.

 

I hope this helps!!! Upvote would be appreciated!!!

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎08-22-2022 12:08 AM

And of course verify that your forwarder is able to read those files and directories!

There are so many hours lost on debugging ingestion problems which at the end turn out to be just forwarder user not having rights to read the file 😉

Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎08-22-2022 03:12 AM

Just 

sudo -u <your splunk UF user> bash
ls -Fla /path/to/the/dir/where/files/are
tail <one file on that dir>

 

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...