- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Newly created logs from a currently monitored ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Newly created logs from a currently monitored directory is not showing in Splunk
I have the below config setup in inputs.conf to monitor all logs found in /var/log directory ( e.g. messages,mailog,named.log,secure log etc) and I can search them all in Splunk.
[monitor:///var/log]
disabled = false
followTail = 0
host = pxxxxxxxxxxxdev
index = dev
However when I created a script and passed its logs (myscriptlog.log) into /var/log/,the Splunk cannot search that log although I still use the same search query "source=/var/log/*" and I also try "source=/var/log/myscriptlog.log" but there is 0 event though there is actually myscriptlog.log created in /var/log. Question: Do I need to restart inputs.conf although I did not change anything into it? Is there a Splunk command to search newly created log from the directory that is already being monitored and configured in inputs.conf?Please advise. Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Isaias.Garcia,
most commonly this is a permission problem and the account that runs splunk (on *nix Systems mostly splunk) has no read rights in /var/log. Also what can happen, is that your test log is too small.
You can run this search as Splunk admin user:
index=_internal source="*splunkd.log*" TailingProcessor myscriptlog.log
and see if the is anything related to your log file.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome please mark this as answered - thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyway I used the same savedsearch i,e source=/var/log/myscriptlog.log and filtered it to All Time..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks MuS. At first, it did not work but when I filter the time range to "All Time" the log's finally shown up so its quite weird because the logfile was just created last 24 hrs . Perhaps I will just filter my savedsearch to "All Time" for the time being. Thanks MuS
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
