How to troubleshoot why some monitored files in Wi...

a212830 · ‎02-02-2016

Hi,

I have a number of directories with files that have numerous files that need to be monitored. Splunk is not picking them all up, and from what I can see, the inputs/props look fine. Looking at the actual directory and files, the "Date Modified" timestamp does not appear to be updated as the file is being written to. I seem to recall this being a Windows issue, and Splunk (hopefully) having some setting that will handle this - can anyone help me?

lguinn2 · ‎02-02-2016

What is in the inputs.conf? You can run btool on the Splunk instance to see the combined inputs. In the example below, I show btool writing to a file because it will generate a lot of information.

splunk btool list inputs --debug >inputslist.txt

What is Splunk actually monitoring? You can find out by entering

splunk list monitor

Look for the unexpected in either of these outputs.

Also, there is good general information on Troubleshooting Monitor Inputs in the Splunk Community wiki. I would skip over the first section, as I don't think setting DEBUG is a good place to start. The rest of the suggestions seem easier and more useful.

There is a Splunk Troubleshooting Manual. Take a look at the section "I can't find my data!" There is also a section called "I need advanced help troubleshooting Splunk for Windows"

How to troubleshoot why some monitored files in Windows directories not getting indexed?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!