I have the below config setup in inputs.conf to monitor all logs found in /var/log directory ( e.g. messages,mailog,named.log,secure log etc) and I can search them all in Splunk.
[monitor:///var/log]
disabled = false
followTail = 0
host = pxxxxxxxxxxxdev
index = dev
However when I created a script and passed its logs (myscriptlog.log) into /var/log/,the Splunk cannot search that log although I still use the same search query "source=/var/log/*" and I also try "source=/var/log/myscriptlog.log" but there is 0 event though there is actually myscriptlog.log created in /var/log. Question: Do I need to restart inputs.conf although I did not change anything into it? Is there a Splunk command to search newly created log from the directory that is already being monitored and configured in inputs.conf?Please advise. Thank you
Hi Isaias.Garcia,
most commonly this is a permission problem and the account that runs splunk (on *nix Systems mostly splunk
) has no read rights in /var/log
. Also what can happen, is that your test log is too small.
You can run this search as Splunk admin user:
index=_internal source="*splunkd.log*" TailingProcessor myscriptlog.log
and see if the is anything related to your log file.
hope this helps ...
cheers, MuS
you're welcome please mark this as answered - thx
Anyway I used the same savedsearch i,e source=/var/log/myscriptlog.log and filtered it to All Time..
Thanks MuS. At first, it did not work but when I filter the time range to "All Time" the log's finally shown up so its quite weird because the logfile was just created last 24 hrs . Perhaps I will just filter my savedsearch to "All Time" for the time being. Thanks MuS