Re: Not seeing any data ingesting to index

sathwikr076 · ‎08-16-2019

Hello,

I have created an app and add inputs.conf with the log path and the index name.
Created a serverclass and added that app and the servers which need to ingest the data but I still cannot see any data ingesting to that index.

Outputs.conf is already there on those servers and they are ingesting some data to other indexes.
I don't know what I did wrong here. Please give some suggestions.

Thanks.

woodcock · ‎08-17-2019

You need to be much more specific with details. What file are in what directories on what servers and what is in the files? What are the permissions on those files? What does btool say? What are the servers that touch the data on the way in?

solarboyz1 · ‎08-16-2019

Have you checked the _internal indexes for the startup logs from the UF?

It should show the UF reading in the Stanza's, do you see the input stanza in the logs?

08-04-2019 11:37:07.050 -0500 INFO  WatchedFile - Will begin reading at offset=123 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'.

08-04-2019 11:37:02.409 -0500 INFO  TailingProcessor - Adding watch on path: C:\Program Files\SplunkUniversalForwarder\var\log\splunk

Do you see any error logs, related to access reading from the file location?

Check the metrics logs?

index=_* component=metrics group=per_source_thruput series=$file_location$

Do you see this source getting forwarded?

Check permissions on the file location and file, make sure the Splunk process can access it.

sathwikr076 · ‎08-16-2019

When i checked this query which you mentioned above index=_* component=metrics group=per_source_thruput series=$file_location$, i did not find the path i just added to get the ingestion.

solarboyz1 · ‎08-19-2019

Did you see any WatchedFile or TailingProcessor events for the path?

To be clear, you replaced $file_location$ with a regular expression that would match the path?

If so, here's some steps:

Make sure you're receiving events to the internal index ( index=_* )
Make sure you're getting metrics (index=_* component=Metrics)
Make sure you're getting events from the host in question ( index=_* host=$hostname$ )

sathwikr076 · ‎08-19-2019

yes, I am getting the metric log. Today i got the information from the Application owner is that there is no data in those servers in the log path they provided me as they are brand new servers. I think everything should be good once there are some logs in that path. Thanks for the reply.

Kawtar · ‎08-18-2019

Did you check if the index is created and then if there is a problem in conf file props.conf

somesoni2 · ‎08-16-2019

I would recommend reading this: https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Cantfinddata

Did your source/client server received the app your created??Can you confirm if the files you're monitoring are readable by Splunk?

sathwikr076 · ‎08-16-2019

Hi, Thanks for the reply. I asked that team to look if the app is deployed. Can you please let me know how to confirm if the files are readable by splunk.
Thanks.

somesoni2 · ‎08-16-2019

Is the logs coming from a linux machine? If yes then you need to contact server admin to sudo login as account with which the Splunkd service is running and see if the file is readable (you can open in VIM editor OR run a tail command on the file with splunkd account).

sathwikr076 · ‎08-16-2019

i will update to the person if you he can check these things to confirm if the splunk can read the file.
Thanks.

sathwikr076 · ‎08-16-2019

can you let know how to check the permission of the file if it is in windows.
Thanks.

Not seeing any data ingesting to index

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM