Getting Data In

Newly created logs from a currently monitored directory is not showing in Splunk

Isaias_Garcia
Path Finder

I have the below config setup in inputs.conf to monitor all logs found in /var/log directory ( e.g. messages,mailog,named.log,secure log etc) and I can search them all in Splunk.

[monitor:///var/log]
disabled = false
followTail = 0
host = pxxxxxxxxxxxdev
index = dev

However when I created a script and passed its logs (myscriptlog.log) into /var/log/,the Splunk cannot search that log although I still use the same search query "source=/var/log/*" and I also try "source=/var/log/myscriptlog.log" but there is 0 event though there is actually myscriptlog.log created in /var/log. Question: Do I need to restart inputs.conf although I did not change anything into it? Is there a Splunk command to search newly created log from the directory that is already being monitored and configured in inputs.conf?Please advise. Thank you

0 Karma

MuS
Legend

Hi Isaias.Garcia,

most commonly this is a permission problem and the account that runs splunk (on *nix Systems mostly splunk) has no read rights in /var/log. Also what can happen, is that your test log is too small.

You can run this search as Splunk admin user:

index=_internal source="*splunkd.log*" TailingProcessor myscriptlog.log

and see if the is anything related to your log file.

hope this helps ...

cheers, MuS

0 Karma

MuS
Legend

you're welcome please mark this as answered - thx

0 Karma

Isaias_Garcia
Path Finder

Anyway I used the same savedsearch i,e source=/var/log/myscriptlog.log and filtered it to All Time..

0 Karma

Isaias_Garcia
Path Finder

Thanks MuS. At first, it did not work but when I filter the time range to "All Time" the log's finally shown up so its quite weird because the logfile was just created last 24 hrs . Perhaps I will just filter my savedsearch to "All Time" for the time being. Thanks MuS

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...