Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitored input not showing on indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.
I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf
[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log
Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.
Without doing anything else, I would expect the raw log entries to appear on the indexer. I do receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How do you KNOW that you're not getting the DHCP logs indexed?
- What other data are you seeing from the forwarder?
Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.
| metadata type=sourcetypes
Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?
Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How do you KNOW that you're not getting the DHCP logs indexed?
- What other data are you seeing from the forwarder?
Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.
| metadata type=sourcetypes
Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?
Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
