Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Monitored input not showing on indexer

kingpin867
New Member
‎04-27-2012 11:43 AM

What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.

I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf

[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log

Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.

Without doing anything else, I would expect the raw log entries to appear on the indexer. I do receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-27-2012 01:19 PM
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis. 

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎04-27-2012 01:19 PM
  1. How do you KNOW that you're not getting the DHCP logs indexed?
  2. What other data are you seeing from the forwarder?

Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis. 

| metadata type=sourcetypes

Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?

Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?

/Kristian

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎04-27-2012 01:56 PM

you're welcome 🙂

0 Karma
Reply
Solved! Jump to solution

kingpin867
New Member
‎04-27-2012 01:48 PM

Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top