I have a universal forwarder pushing a log file from a window server into a splunk indexer in this manner.
Configuration from ->
C:\Program Files\SplunkUniversalForwarder\etc\system\local\inputs.conf
[monitor://C:\temp\somelogfile.txt]
disabled=0
followtail=0
index=logger
sourcetype=txt
This pushes data from that txt file (which gets updated ONCE a day NOT rolled over) -- ONCE a day. Everything gets pushed out to the indexer correctly and all is fine and dandy EXCEPT
In the Splunk search bar
-> The search works when I enter : index="logger"
- I can drilldown to the sourcetype and then show events
-> The search ALSO works when I enter : index="logger" sourcetype="txt"
. This shows events.
-> The search does NOT work when I ONLY enter sourcetype="txt" into the splunk search bar.
No results show up
Anybody have an idea so as to why Splunk would simply not recognize and filter by sourcetype ALONE when pushing data from universal forwarder ? I dont see any errors under /var/log/audit.log or any other log files just FYI.
For most other sourcetype/index combinations that I am familiar with, you can search by either SOURCETYPE OR INDEX -- and then drill down by the OTHER once the events start to appear.
Is it possible that I am not setting something in inputs.conf that I am supposed to when the resource being indexed does not live on the indexer itself ?
Any input would be appreciated.
I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger
because your user/role is not configured to search in the logger
index by default. Only the main
index is searched by default - you can configure this in the manager in Splunkweb:
Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".
I don't think the particular way you're feeding the data into Splunk has anything to do with this. More likely, you need to specify index=logger
because your user/role is not configured to search in the logger
index by default. Only the main
index is searched by default - you can configure this in the manager in Splunkweb:
Manager » Access controls » Roles » [role to configure] - "Indexes searched by default".
worked like a charm !