Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Newly created logs from a currently monitored directory is not showing in Splunk

Isaias_Garcia
Path Finder
‎06-17-2014 06:39 PM

I have the below config setup in inputs.conf to monitor all logs found in /var/log directory ( e.g. messages,mailog,named.log,secure log etc) and I can search them all in Splunk.

[monitor:///var/log]
disabled = false
followTail = 0
host = pxxxxxxxxxxxdev
index = dev

However when I created a script and passed its logs (myscriptlog.log) into /var/log/,the Splunk cannot search that log although I still use the same search query "source=/var/log/*" and I also try "source=/var/log/myscriptlog.log" but there is 0 event though there is actually myscriptlog.log created in /var/log. Question: Do I need to restart inputs.conf although I did not change anything into it? Is there a Splunk command to search newly created log from the directory that is already being monitored and configured in inputs.conf?Please advise. Thank you

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-17-2014 11:49 PM

Hi Isaias.Garcia,

most commonly this is a permission problem and the account that runs splunk (on *nix Systems mostly splunk) has no read rights in /var/log. Also what can happen, is that your test log is too small.

You can run this search as Splunk admin user:

index=_internal source="*splunkd.log*" TailingProcessor myscriptlog.log

and see if the is anything related to your log file.

hope this helps ...

cheers, MuS

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎06-18-2014 01:13 AM

you're welcome please mark this as answered - thx

0 Karma
Reply

Isaias_Garcia
Path Finder
‎06-18-2014 01:09 AM

Anyway I used the same savedsearch i,e source=/var/log/myscriptlog.log and filtered it to All Time..

0 Karma
Reply

Isaias_Garcia
Path Finder
‎06-18-2014 01:08 AM

Thanks MuS. At first, it did not work but when I filter the time range to "All Time" the log's finally shown up so its quite weird because the logfile was just created last 24 hrs . Perhaps I will just filter my savedsearch to "All Time" for the time being. Thanks MuS

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...