Re: Log data of a particular sourcetype from one o...

raj_mpl · ‎04-24-2019

Hi All,

In UF installed server ,we have monitor stanza to read the .log file from a particular source named it as one of the sourcetype.
I used to get the log feed upto 7 days . But suddenly it stopped and not able to see any log feed from that particular sourcetype only
But I am getting the different types of log files nearly from 8 sources from the same UF installed server to indexer

I had rebooted the UF but no luck . By running splunk btool command I can see the monitor stanza for the missing sourcetype in inputs.conf along with others

Please guide me on this
Thanks

gcusello · ‎04-25-2019

Hi raj_mpl,
a little question: which day of the month was the stop day, the 1st?
in this case see the timestamp format because there's an error in time format interpratation: Splunk reads mm/dd/yyy, maybe you have dd/mm/yyy.
Bye.
Giuseppe

AnilPujar · ‎04-24-2019

other 8 sources also sending data to same indexes?

share inputs (from UF ) and indexes conf( from indexer)

raj_mpl · ‎04-25-2019

Yes , Other sources are also sending the data to same Index

[monitor:///user/sysem.log]
index=bal
sourcetype=mri

And for the same index different log from different sources are coming

vishaltaneja070 · ‎04-25-2019

@raj_mpl

check the _internal logs of forwarder to find out why the monitoring is suddenly stopperd. you will be able to see error message.

raj_mpl · ‎04-26-2019

What happens if we restart the splunk forwarder with a root user ?

Log data of a particular sourcetype from one of the forwarder is missing in splunk

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)