Hello Team,
As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.
Hi
have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?
Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?
You could see what splunk thinks that it should be read by
splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug
Another tool to see what it has read is
splunk list inputstatus
r. Ismo
Thanks for the clue @isoutamo I did respective changes, and I got the solution.
Hi
have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?
Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?
You could see what splunk thinks that it should be read by
splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug
Another tool to see what it has read is
splunk list inputstatus
r. Ismo