- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Newly created logs from a currently monitored ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Newly created logs from a currently monitored directory is not showing in Splunk
I have the below config setup in inputs.conf to monitor all logs found in /var/log directory ( e.g. messages,mailog,named.log,secure log etc) and I can search them all in Splunk.
[monitor:///var/log]
disabled = false
followTail = 0
host = pxxxxxxxxxxxdev
index = dev
However when I created a script and passed its logs (myscriptlog.log) into /var/log/,the Splunk cannot search that log although I still use the same search query "source=/var/log/*" and I also try "source=/var/log/myscriptlog.log" but there is 0 event though there is actually myscriptlog.log created in /var/log. Question: Do I need to restart inputs.conf although I did not change anything into it? Is there a Splunk command to search newly created log from the directory that is already being monitored and configured in inputs.conf?Please advise. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Isaias.Garcia,
most commonly this is a permission problem and the account that runs splunk (on *nix Systems mostly splunk) has no read rights in /var/log. Also what can happen, is that your test log is too small.
You can run this search as Splunk admin user:
index=_internal source="*splunkd.log*" TailingProcessor myscriptlog.log
and see if the is anything related to your log file.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome please mark this as answered - thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyway I used the same savedsearch i,e source=/var/log/myscriptlog.log and filtered it to All Time..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS. At first, it did not work but when I filter the time range to "All Time" the log's finally shown up so its quite weird because the logfile was just created last 24 hrs . Perhaps I will just filter my savedsearch to "All Time" for the time being. Thanks MuS
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
