Getting Data In

Monitoring inputs not parsing logs to indexers

phanichintha
Path Finder

Hello Team,

As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.

Path list.png

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?

Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?

You could see what splunk thinks that it should be read by 

splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug

Another tool to see what it has read is 

splunk list inputstatus

r. Ismo 

View solution in original post

0 Karma

phanichintha
Path Finder

Thanks for the clue @isoutamo I did respective changes, and I got the solution.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?

Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?

You could see what splunk thinks that it should be read by 

splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug

Another tool to see what it has read is 

splunk list inputstatus

r. Ismo 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...