Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

On a Universal Forwarder I did a "splunk clean all", changed some things and started the forwarder, but one of my monitor stanzas is not forwarding...

neiljpeterson
Communicator
‎04-01-2014 06:49 AM

The forwarding from this directory was working previous to the clean. My understanding was this was supposed to clean out all indexes including the fishbucket, causing splunk to forget was had already been indexed and reindex it all. There have even been new events generated since clean, which I would certainly expect to be forwarded and indexed, but I am not seeing anything.

Other stanzas, from the same inputs.conf, are working, like performance data.

What am I doing wrong here?

For completeness sake, this is the stanza I am expecting to see data from.

[monitor://C:\Websites\logs\...\*]
disabled = false
sourcetype = app_logs
index = app_logs
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neiljpeterson
Communicator
‎04-01-2014 07:39 AM

Turns out, this was a role permissions issue.

The user account that was performing the searches did not have "All internal indexes" selected under "Indexes searched by default" I was trying to validate the search by searching by host, not by index. If I search for this index specifically the data comes up.

After adding "All internal indexes" the data comes up in a by host search.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

neiljpeterson
Communicator
‎04-01-2014 07:39 AM

Turns out, this was a role permissions issue.

The user account that was performing the searches did not have "All internal indexes" selected under "Indexes searched by default" I was trying to validate the search by searching by host, not by index. If I search for this index specifically the data comes up.

After adding "All internal indexes" the data comes up in a by host search.

0 Karma
Reply
Solved! Jump to solution

sunrise
Contributor
‎04-01-2014 07:06 AM

I don't know whether "splunk clean all"command delete fishbuckets or not.
But if you delete fishbucket manually and start UF instance, it will retransfer that monitoring data to Indexer.

cd $SPLUNK_HOME/var/lib/splunk/fishbucket
rm -fR *
0 Karma
Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎04-01-2014 07:09 AM

Unfortunately I am on windows... but I did another clean all and it did empty out the fishbucket dir.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-01-2014 07:01 AM

Hi neiljpeterson,

On a forwarder you should remove the folder $SPLUNK_HOME/var/lib/splunk/fishbucket.
On an indexer splunk clean eventdata -index _fishbucket will do the magic.

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎04-01-2014 07:26 AM

This is what I found

 04-01-2014 09:18:42.197 -0500 INFO  TailingProcessor - Parsing configuration stanza: monitor://C:\Websites\logs\...\*.
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-01-2014 07:13 AM

check your forwarders splunkd.log for anything related to tailingprocess regarding this input

0 Karma
Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎04-01-2014 07:10 AM

splunk clean all does this. I just did it again as a test.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎04-01-2014 07:04 AM

On a forwarder you should remove the folder $SPLUNK_HOME/var/lib/splunk/fishbucket.

0 Karma
Reply
Solved! Jump to solution

neiljpeterson
Communicator
‎04-01-2014 07:02 AM

one or the other or both?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...