Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Old log files are not getting ingested into Splunk Cloud

anandhalagarasa
Path Finder
‎09-09-2019 06:41 AM

Hi Team,

We got an requirement to ingest the xyz.log from a client machine.

So i have created an app in the deployment master and deployed the same. The app has been successfully reached the client machine as well.

I have created an app and deployed the same on 8th Sep 2019 and the log file (xyz.log) has been lastly updated on 5th Sep 2019 in the client machine. Actually i believe the log file should be ingested into Splunk Cloud but here in this case its not getting ingested into Splunk Cloud.

So can i know what is the reason behind it and have enclosed my inputs.conf for reference. So kindly check and help on this.

[monitor:///abc/def/ijk/lmn/xyz.log]
sourcetype = pgr:stv
index = 123
disabled = 0

Kindly note the file has the splunk read permission and also in the internal logs it states that the configuration stanza as been parsed. The internal logs are reaching Splunk Cloud without any issues there is no connectivity issues as well.

But still i couldn't able to see the logs in Splunk Cloud.

Tags (1)
0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 06:53 AM

Kindly help on my request

0 Karma
Reply

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎09-09-2019 06:59 AM

At least, you should check the message in the splunkd.log. What can you find?

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 07:15 AM

@tkomatsubara,

In splunkd.log the file is getting parsed refer below:

09-09-2019 05:20:30.415 -0500 INFO TailingProcessor - Parsing configuration stanza: monitor:///abc/def/ijk/lmn/xyz.log

But still the logs are not getting indexed. So can i know how Splunk works? Will it ingest old data as well.

0 Karma
Reply

tkomatsubara_sp
Splunk Employee
Splunk Employee
‎09-09-2019 07:24 AM

There must be some errors. Can you find?

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-10-2019 12:31 AM

There are no errors at all. Am i missing anything in the stanza. And one thing can you confirm is splunk can index the old date data as well.

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-10-2019 08:13 AM

can anyone kindly help on my query.

0 Karma
Reply

anandhalagarasa
Path Finder
‎09-09-2019 07:21 AM

should i need to modify the inputs.conf stanza to ingest the old date logs. And the log date is on 5th Sep only. All seems to be fine but something it happens at the background and hence we couldn't able to ingest those logs.

Is this how Splunk works? Is it wont be able to ingest the old data logs kindly confirm please.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...