Solved: Logs are not forwarding from the particular direct...

yuvasree · ‎10-09-2022

I have forwarding the logs from the below directory. Below is the inputs.conf file

[monitor:///u01/app/oracle/scripts/SplunkMonitoring/Log]
disabled = false
index = osb
crcSalt = <SOURCE>

[monitor:///u01/app/oracle/scripts/Logging/output]
disabled = false
index = osb

=============

output from the /u01/app/oracle/scripts/Logging/output is forwarding successfully but no logs were received for /u01/app/oracle/scripts/SplunkMonitoring/Log. Below is the splunkd.log file.

10-09-2022 21:31:41.925 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/ServerStatus.txt'.
10-09-2022 21:32:01.208 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:0, pset=0, reuse=0. autoBatch=1
10-09-2022 21:32:05.125 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:32:31.053 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:2, pset=0, reuse=0. autoBatch=1
10-09-2022 21:32:35.054 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:33:00.976 +0800 INFO AutoLoadBalancedConnectionStrategy [214989 TcpOutEloop] - Connected to idx=10.9.0.49:9997:1, pset=0, reuse=0. autoBatch=1
10-09-2022 21:33:07.976 +0800 INFO TailReader [214996 tailreader0] - Batch input finished reading file='/opt/splunkforwarder/var/spool/splunk/tracker.log'
10-09-2022 21:33:21.924 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/jms_status.txt'.
10-09-2022 21:33:21.931 +0800 INFO WatchedFile [214996 tailreader0] - Will begin reading at offset=0 for file='/u01/app/oracle/scripts/SplunkMonitoring/Log/DataSourceStatus.txt'.

gcusello · ‎10-15-2022

Hi @yuvasree,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf

this option is only valid for stanzas with [source::<source>] while you're using sourcetype.

without this option is the file read?

Ciao.

Giuseppe

View solution in original post

gcusello · ‎10-09-2022

Hi @yuvasree,

did you defined the TIME_FORMAT in the props.conf?

see if your logs are present with the timestamp of the 10th of september

Ciao.

Giuseppe

yuvasree · ‎10-15-2022

@gcusello Thanks for the reply.

I don't know how the issue resolved. but somehow it is forwarding from that server.

But again in one more server the file contents are not changed, hence splunk is ignoring the files under the folder. I need to forward it whenever the script output updated.

Below are the settings.

Props.conf

[brm_deployment_dev]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=1

inputs.conf

[monitor:///u01/app/oracle/Scripts/SplunkDashboard/Check]
disabled = false
index=general
sourcetype=brm_deployment_dev
crcSalt=<SOURCE>
initCrcLength=2048
CHECK_METHOD = modtime

gcusello · ‎10-15-2022

Hi @yuvasree,

let me understand: /u01/app/oracle/Scripts/SplunkDashboard/Check is the path or the file name?

If the path try to add * at the end.

Ciao.

Giuseppe

yuvasree · ‎10-15-2022

Hi @gcusello

It is a path. inside that path it is having the 48 files (SQL output but with 1 or 2 lines each file).

I tried with /* but it thrown error like below.

Invalid key in stanza [monitor:///u01/app/oracle/Scripts/SplunkDashboard/Check/*] in /opt/splunkforwarder/etc/apps/search/local/inputs.conf, line 15: CHECK_METHOD (value: modtime).

Then i updated the check method in props.conf but no luck

[brm_deployment_dev]
BREAK_ONLY_BEFORE_DATE =
DATETIME_CONFIG = CURRENT
INDEXED_EXTRACTIONS = csv
KV_MODE = none
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
HEADER_FIELD_LINE_NUMBER=1
CHECK_METHOD = modtime

gcusello · ‎10-15-2022

Hi @yuvasree,

as you can read at https://docs.splunk.com/Documentation/Splunk/9.0.1/Admin/Propsconf

this option is only valid for stanzas with [source::<source>] while you're using sourcetype.

without this option is the file read?

Ciao.

Giuseppe

yuvasree · ‎10-15-2022

Hi @gcusello ,

Apologies I missed that part somehow. After setting the source path it is able to send the file successfully based on the modtime.

Thanks.

See you later for another issue.

gcusello · ‎10-15-2022

Hi @yuvasree

good for you, see next time (it will be a pleasure)!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Logs are not forwarding from the particular directory?

monitor

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!