Re: Splunk_TA_nix local inputs.conf not allowing m...

diptij · ‎06-24-2020

I created a Splunk_TA_nix/local/inputs.conf.

I created 2 different indexes in indexes.conf. And then I created an inputs.conf and monitored 2 directories with 2 different indexes with same sourcetype.

I put files in the directories.

But the 2nd index doesn't get data in.

Help please

anilchaithu · ‎06-24-2020

@diptij

Can you please share your monitor stanza? Did you check splund logs for any errors?

It should not depend the add-on. It only depends on

1) The user running splunk on the server must have read permissions to the directories.

2) monitor stanza should be error free

diptij · ‎06-25-2020

Thank-you Anil for responding.

I was ingesting too many files and the indexing/ingesting was taking a lot of time.

I was looking at the output of 'splunk list inputstatus' https://localhost:8089/services/admin/inputstatus to see what the status of the indexing was: the file position showed as 0 and status as File was read. So, it wasn't conclusive as to what was happening.

anilchaithu · ‎06-29-2020

@diptij

If its with the data volume, try to increase the throughput to 512kbps OR more (default is 256kbps) for debug purpose and see if this resolves. we went upto 4096kbps for one of the use case.

Is there any errors in the log messages?

Splunk_TA_nix local inputs.conf not allowing multiple indexes

inputs.conf

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation