Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to troubleshoot why a Windows universal forwarder is not forwarding application logs assigned custom sourcetypes?

awendler
Explorer
‎03-31-2015 12:12 PM

We are having an issue where a Universal Forwarder configured to forward a half dozen custom application logs is not forwarding any of them. It is a Windows server, and we are seeing Windows security information come across, and if I point to a known log, c:/\windows/\windowsupdate.log in inputs.conf, it sends that along. However, the other files are not coming across to the indexer.

They use custom sourcetypes that have been correctly specified and I can examine and appear to be set up correctly. The types are specified in inputs.conf for each file stanza and I can see them in Splunk's props.conf.

I cannot see a reason that only our custom files would be ignored. In splunkd.log on the forward it acknowledges their stanzas for each file:

03-31-2015 12:48:41.248 -0400 INFO  TailingProcessor - Parsing configuration stanza: monitor://

There are no warnings or errors in the log file.

Splunk is running as a local system account and has permissions to the files.

I do not know what could be causing this issue and I am unsure where else I can look to diagnose the issue.

0 Karma
Reply

brod_geico
Path Finder
‎03-31-2015 01:05 PM

couple of things you can try, after seeing that message it sounds like parsing Que issue.
you can try increase
maxQueueSize = 200MB in outputs.conf.
some times the maxQueueSize setting causes events to be loaded into a queue in memory so Before increase check your memory and performance using top what ever OS command.
Note: check out metrics.log and parsingQueue or TCPque is full etc errors

0 Karma
Reply

awendler
Explorer
‎04-01-2015 07:37 AM

Thanks, I've tried that but it does not seem to have changed anything. I'm pulling the log files on the forwarder and I will examine the metrics.log

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...