Getting Data In

Monitored input not showing on indexer

kingpin867
New Member

What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.

I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf

[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.

Without doing anything else, I would expect the raw log entries to appear on the indexer. I do receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?

0 Karma
1 Solution

kristian_kolb
Ultra Champion
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

View solution in original post

0 Karma

kristian_kolb
Ultra Champion
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

0 Karma

kristian_kolb
Ultra Champion

you're welcome 🙂

0 Karma

kingpin867
New Member

Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...