- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Monitored input not showing on indexer
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What am I missing here? I have an indexer with the appropriate ports open and working, version 4.3.2.
I install the UniversalForwarder onto a Windows DHCP server. Stop the UniversalForwarder service, add the following config to $SPLUNKHOME\etc\system\local\input.conf
[monitor://C:\Windows\System32\dhcp]
sourcetype = DhcpSrvLog
crcSalt = <source>
alwaysOpenFile = 1
disabled = false
whitelist = Dhcp.+\.log
Restart the service. Check the inputstatus on the forwarder, (https://[dhcphost]:8089/services/admin/inputstatus/) and it has enumerated all the appropriate DHCP log files with correct sizes.
Without doing anything else, I would expect the raw log entries to appear on the indexer. I do receive other system events from the same host on the indexer -- so I know the forwarder is working, but it isn't working for the monitored logs. What am I missing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How do you KNOW that you're not getting the DHCP logs indexed?
- What other data are you seeing from the forwarder?
Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.
| metadata type=sourcetypes
Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?
Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- How do you KNOW that you're not getting the DHCP logs indexed?
- What other data are you seeing from the forwarder?
Timestamps could be wrong. Have you searched for 'all time'?
Try a metadata search, that should show if there are any data indexed on a per sourcetype basis.
| metadata type=sourcetypes
Permissions.
You say you tried the rest interface (https://[dhcphost]:8089/services/admin/inputstatus/TailingProcessor:FileStatus, I assume). Any errors listed? 100% done?
Do you have permissions to access the index where the DHCP data is supposed to land? Is it searched by default, or would you have to specify index=blaha as part of your search?
/Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Arggh, I'm embarrassed. I wasn't using the correct terminology and everything was getting there correctly. Thanks for the nudge!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
