Need help troubleshooting oneshot

cgregors · ‎06-02-2014

I'm trying to get an archival datafile into the indexes via oneshot.

Current directory = C:\Program Files\SplunkUniversalForwarder\bin

Full path to source file = C:\Program Files\SplunkUniversalForwarder\bin\recovery\l21\20131213_153013\l21.almlog

Command = splunk add oneshot .\recovery\l21\20131213_153013\l21.almlog -sourcetype ld_alarm_log -index legacy-main -host ewwp0029

Output from command =

Oneshot 'C:\Program Files\SplunkUniversalForwarder\bin\recovery\l21\20131213_153
013\l21.almlog' added

Time passes and the data from the file doesn't appear in the indexes.

I'm looking for suggestions on troubleshooting the problem.

TIA

Chris

cgregors · ‎06-02-2014

Found my own answer (always a good thing).

I was going to move the files off the windows box onto a linux box and oneshot them from there. It turns out all the logs are 0 bytes in length.

The app people have a bug in their script that doesn't archive the logs correctly. Nothing I can do about that except point it out for them.

Lesson learned: Start at the source and make sure there is data where you think there should be.
Thanks Chris.

Join the Conversation