I have forwarding the logs from the below directory. Below is the inputs.conf file
[monitor:///u01/app/oracle/scripts/SplunkMonitoring/Log]
disabled = false
index = osb
crcSalt = <SOURCE>
[monitor:///u01/app/oracle/scripts/Logging/output]
disabled = false
index = osb
=============
output from the /u01/app/oracle/scripts/Logging/output is forwarding successfully but no logs were received for /u01/app/oracle/scripts/SplunkMonitoring/Log. Below is the splunkd.log file.
10-09-2022 21:31:41.925 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/ServerStatus.txt'.
10-09-2022 21:32:01.208 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:0, pset=0, reuse=0. autoBatch=1
10-09-2022 21:32:05.125 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:32:31.053 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:2, pset=0, reuse=0. autoBatch=1
10-09-2022 21:32:35.054 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:33:00.976 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:1, pset=0, reuse=0. autoBatch=1
10-09-2022 21:33:07.976 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:33:21.924 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/jms_status.txt'.
10-09-2022 21:33:21.931 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/DataSourceStatus.txt'.
Hi @yuvasree,
as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf
this option is only valid for stanzas with [source::<source>] while you're using sourcetype.
without this option is the file read?
Ciao.
Giuseppe
Hi @yuvasree,
did you defined the TIME_FORMAT in the props.conf?
see if your logs are present with the timestamp of the 10th of september
Ciao.
Giuseppe
@gcusello Thanks for the reply.
I don't know how the issue resolved. but somehow it is forwarding from that server.
But again in one more server the file contents are not changed, hence splunk is ignoring the files under the folder. I need to forward it whenever the script output updated.
Below are the settings.
Props.conf
[brm_deployment_dev]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=1
inputs.conf
[monitor:///u01/app/oracle/Scripts/SplunkDashboard/Check]
disabled = false
index=general
sourcetype=brm_deployment_dev
crcSalt=<SOURCE>
initCrcLength=2048
CHECK_METHOD = modtime
Hi @yuvasree,
let me understand: /u01/app/oracle/Scripts/SplunkDashboard/Check is the path or the file name?
If the path try to add * at the end.
Ciao.
Giuseppe
Hi @gcusello
It is a path. inside that path it is having the 48 files (SQL output but with 1 or 2 lines each file).
I tried with /* but it thrown error like below.
Invalid key in stanza [monitor:///u01/app/oracle/Scripts/SplunkDashboard/Check/*] in /opt/splunkforwarder/etc/apps/search/local/inputs.conf, line 15: CHECK_METHOD (value: modtime).
Then i updated the check method in props.conf but no luck
[brm_deployment_dev]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=1
CHECK_METHOD = modtime
Hi @yuvasree,
as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf
this option is only valid for stanzas with [source::<source>] while you're using sourcetype.
without this option is the file read?
Ciao.
Giuseppe
Hi @gcusello ,
Apologies I missed that part somehow. After setting the source path it is able to send the file successfully based on the modtime.
Thanks.
See you later for another issue.
Hi @yuvasree
good for you, see next time (it will be a pleasure)!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉