I have created an app and add inputs.conf with the log path and the index name.
Created a serverclass and added that app and the servers which need to ingest the data but I still cannot see any data ingesting to that index.
Outputs.conf is already there on those servers and they are ingesting some data to other indexes.
I don't know what I did wrong here. Please give some suggestions.
You need to be much more specific with details. What file are in what directories on what servers and what is in the files? What are the permissions on those files? What does
btool say? What are the servers that touch the data on the way in?
Have you checked the _internal indexes for the startup logs from the UF?
It should show the UF reading in the Stanza's, do you see the input stanza in the logs?
08-04-2019 11:37:07.050 -0500 INFO WatchedFile - Will begin reading at offset=123 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'. 08-04-2019 11:37:02.409 -0500 INFO TailingProcessor - Adding watch on path: C:\Program Files\SplunkUniversalForwarder\var\log\splunk
Do you see any error logs, related to access reading from the file location?
Check the metrics logs?
index=_* component=metrics group=per_source_thruput series=$file_location$
Do you see this source getting forwarded?
Check permissions on the file location and file, make sure the Splunk process can access it.
When i checked this query which you mentioned above index=_* component=metrics group=per_source_thruput series=$file_location$, i did not find the path i just added to get the ingestion.
Did you see any WatchedFile or TailingProcessor events for the path?
To be clear, you replaced $file_location$ with a regular expression that would match the path?
If so, here's some steps:
Make sure you're receiving events to the internal index ( index=_* )
Make sure you're getting metrics (index=_* component=Metrics)
Make sure you're getting events from the host in question ( index=_* host=$hostname$ )
yes, I am getting the metric log. Today i got the information from the Application owner is that there is no data in those servers in the log path they provided me as they are brand new servers. I think everything should be good once there are some logs in that path. Thanks for the reply.
I would recommend reading this: https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Cantfinddata
Did your source/client server received the app your created??Can you confirm if the files you're monitoring are readable by Splunk?
Is the logs coming from a linux machine? If yes then you need to contact server admin to sudo login as account with which the Splunkd service is running and see if the file is readable (you can open in VIM editor OR run a tail command on the file with splunkd account).