@DavidHourani ,

Thank you for your swift response.
Answering your query i can able to see the internal logs for the servers where the etc/resolv.conf file is not getting ingested into Splunk Cloud. And also we have configured other OS logs which seems to be be getting ingested for the host except etc/resolv.conf file.

As mentioned in the third step I have ran the following command to check the status and i am getting an error as below:

          <s:dict>
            <s:key name="parent">/etc/resolv.conf</s:key>
            <s:key name="type">File did not match whitelist '(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)'.</s:key>
          </s:dict>
        </s:key>

I didn't tried the 4th step yet so where i am missing out. Kindly help to spot it out.

If you read here " <s:key name="type">File did not match whitelist '(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)'.</s:key>"

Apparently the whitelist you created is not matching the file. Test modifying the input stanza's whitelist to better match resolv.conf

@ DavidHourani,

I have cross verified the same command for a working server where the resolv.conf logs are getting ingested into Splunk Cloud and i got the same error for etc/resolv.conf but somehow the data from etc/resolv.conf file got ingested into Splunk Cloud.

And this is my whitelist which i pushed from Deployment master server.

[serverClass:all_test]
machineTypesFilter=linux-i686, linux-x86_64, HP-UX
whitelist.0 = *
restartSplunkd = true
[serverClass:all_test:app:resolve_app]

So what would be the exact whitelist which i need to use since we have around 180 + servers needs to be ingested into Splunk Cloud.

@DavidHourani
Can you kindly help where i am missing.

Hi @anandhalagarasan,

Could you please post your input stanza and whitelist not the serverclass whitelist XD

Input Stanza app name (abc_xyz):
[monitor:///etc/resolv.conf]
sourcetype = xyz
index = abc
whitelist = *

disabled = 0

Server Class:
[serverClass:all_nix_servers]
machineTypesFilter=linux-i686, linux-x86_64
whitelist.0 = *
restartSplunkd = true
[serverClass:all_nix_servers:app:abc_xyz]

Yeah that input doesn't, due to "cherry picking", you should use the default input stanza from linux TA ( which contains the following whitelist <s:key name="type">File did not match whitelist '(\.conf|\.cfg|config$|\.ini|\.init|\.cf|\.cnf|shrc$|^ifcfg|\.profile|\.rc|\.rules|\.tab|tab$|\.login|policy$)'.</s:key>)

And then add a line like this :

[source::...resolv.conf*]
sourcetype = xyz

I have used this stanza as mentioned :

[monitor:///etc/resolv.conf]
sourcetype = xyz
index = abc
_whitelist=(.conf|.cfg|config$|.ini|.init|.cf|.cnf|shrc$|^ifcfg|.profile|.rc|.rules|.tab|tab$|.login|policy$)
[source::...resolv.conf*]
disabled = 0

But still those logs are not getting ingested into Splunk Cloud. should i need to add or correct anything in the inputs.

Can anyone help on this request.

What does the internal log say for the hosts that work?
Maybe you could check for the hosts who are missing on the internal logs. Would be nice to see what the index="_internal" says.
Also it might help to have an outputs.conf to send the data directly to the indexer.