Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Monitoring inputs not parsing logs to indexers

phanichintha
Path Finder
‎09-13-2021 04:21 AM

Hello Team,

As we are parsing logs from Linux machine to Splunk indexer via Splunk Universal Forwarder in Linux machine, from monitor input paths "var/logs" am getting data in indexers but am not getting data from this path "monitor:///opt/apps/mule-runtimes/mule-ee-runtime-1/logs" please help what to do, for reference please check the below snap.

Path list.png

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-13-2021 05:56 AM

Hi

have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?

Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?

You could see what splunk thinks that it should be read by 

splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug

Another tool to see what it has read is 

splunk list inputstatus

r. Ismo 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

phanichintha
Path Finder
‎09-13-2021 07:04 AM

Thanks for the clue @isoutamo I did respective changes, and I got the solution.

0 Karma
Reply
Solved! Jump to solution
Solution

isoutamo
SplunkTrust
SplunkTrust
‎09-13-2021 05:56 AM

Hi

have the Splunk UF user read access to this directory? And are you restarted UF after updating configurations?

Usually when you are monitoring directory you should add white lists there or other option is use file name and define sourcetypes for those at same time?

You could see what splunk thinks that it should be read by 

splunk btool inputs list monitor:///opt/apps/mule-runtimes/mule--ee-runtime-1/logs --debug

Another tool to see what it has read is 

splunk list inputstatus

r. Ismo 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...