I have created an app and add inputs.conf with the log path and the index name.
Created a serverclass and added that app and the servers which need to ingest the data but I still cannot see any data ingesting to that index.
Outputs.conf is already there on those servers and they are ingesting some data to other indexes.
I don't know what I did wrong here. Please give some suggestions.
I would recommend reading this: https://docs.splunk.com/Documentation/Splunk/7.3.1/Troubleshooting/Cantfinddata
Did your source/client server received the app your created??Can you confirm if the files you're monitoring are readable by Splunk?
Hi, Thanks for the reply. I asked that team to look if the app is deployed. Can you please let me know how to confirm if the files are readable by splunk.
Is the logs coming from a linux machine? If yes then you need to contact server admin to sudo login as account with which the Splunkd service is running and see if the file is readable (you can open in VIM editor OR run a tail command on the file with splunkd account).
Have you checked the _internal indexes for the startup logs from the UF?
It should show the UF reading in the Stanza's, do you see the input stanza in the logs?
08-04-2019 11:37:07.050 -0500 INFO WatchedFile - Will begin reading at offset=123 for file='C:\Program Files\SplunkUniversalForwarder\var\log\splunk\conf.log'. 08-04-2019 11:37:02.409 -0500 INFO TailingProcessor - Adding watch on path: C:\Program Files\SplunkUniversalForwarder\var\log\splunk
Do you see any error logs, related to access reading from the file location?
Check the metrics logs?
index=* component=metrics group=persourcethruput series=$filelocation$
Do you see this source getting forwarded?
Check permissions on the file location and file, make sure the Splunk process can access it.
When i checked this query which you mentioned above index=* component=metrics group=persourcethruput series=$filelocation$, i did not find the path i just added to get the ingestion.
Did you see any WatchedFile or TailingProcessor events for the path?
To be clear, you replaced $file_location$ with a regular expression that would match the path?
If so, here's some steps:
Make sure you're receiving events to the internal index ( index=_* )
Make sure you're getting metrics (index=_* component=Metrics)
Make sure you're getting events from the host in question ( index=_* host=$hostname$ )