Getting Data In
Highlighted

Not seeing any data ingesting to index

Communicator

Hello,

I have created an app and add inputs.conf with the log path and the index name.
Created a serverclass and added that app and the servers which need to ingest the data but I still cannot see any data ingesting to that index.

Outputs.conf is already there on those servers and they are ingesting some data to other indexes.
I don't know what I did wrong here. Please give some suggestions.

Thanks.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

SplunkTrust
SplunkTrust

I would recommend reading this: https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Cantfinddata

Did your source/client server received the app your created??Can you confirm if the files you're monitoring are readable by Splunk?

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Communicator

Hi, Thanks for the reply. I asked that team to look if the app is deployed. Can you please let me know how to confirm if the files are readable by splunk.
Thanks.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

SplunkTrust
SplunkTrust

Is the logs coming from a linux machine? If yes then you need to contact server admin to sudo login as account with which the Splunkd service is running and see if the file is readable (you can open in VIM editor OR run a tail command on the file with splunkd account).

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Communicator

i will update to the person if you he can check these things to confirm if the splunk can read the file.
Thanks.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Communicator

can you let know how to check the permission of the file if it is in windows.
Thanks.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Builder

Have you checked the _internal indexes for the startup logs from the UF?

It should show the UF reading in the Stanza's, do you see the input stanza in the logs?

08-04-2019 11:37:07.050 -0500 INFO  WatchedFile - Will begin reading at offset=123 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'.

08-04-2019 11:37:02.409 -0500 INFO  TailingProcessor - Adding watch on path: C:\Program Files\SplunkUniversalForwarder\var\log\splunk

Do you see any error logs, related to access reading from the file location?

Check the metrics logs?

index=* component=metrics group=persourcethruput series=$filelocation$

Do you see this source getting forwarded?

Check permissions on the file location and file, make sure the Splunk process can access it.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Communicator

When i checked this query which you mentioned above index=* component=metrics group=persourcethruput series=$filelocation$, i did not find the path i just added to get the ingestion.

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Path Finder

Did you check if the index is created and then if there is a problem in conf file props.conf

0 Karma
Highlighted

Re: Not seeing any data ingesting to index

Builder

Did you see any WatchedFile or TailingProcessor events for the path?

To be clear, you replaced $file_location$ with a regular expression that would match the path?

If so, here's some steps:

  1. Make sure you're receiving events to the internal index ( index=_* )

  2. Make sure you're getting metrics (index=_* component=Metrics)

  3. Make sure you're getting events from the host in question ( index=_* host=$hostname$ )

0 Karma