Getting Data In

Monitored input not showing on indexer

kingpin867
New Member

What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.

I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf

[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.

Without doing anything else, I would expect the raw log entries to appear on the indexer. I do receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?

0 Karma
1 Solution

kristian_kolb
Ultra Champion
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

View solution in original post

0 Karma

kristian_kolb
Ultra Champion
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

0 Karma

kristian_kolb
Ultra Champion

you're welcome 🙂

0 Karma

kingpin867
New Member

Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...