Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk not indexing some files

cafissimo
Communicator
‎10-05-2010 01:25 PM

Hello, I am trying to index some files from a lightforwarder on a unix directory (HP-UX), by writing a proper inputs.conf file. Splunk send to the indexer only some files and seems to ignore others and I am sure that inputs.conf is correct. Splunk version is 4.1.3 Has anyone experienced a similar problem? Luca.

I am getting this messages in the indexer (internal index) about the file I am trying to index (file that is always growing on the forwarder)

10-06-2010 15:23:49.182 DEBUG TailingProcessor - Deferred notification for path='/xxx/logs/weblogic/ib8o0/banking-jsp.log'.

10-06-2010 15:23:49.182 DEBUG TailingProcessor - Have seen this item before.

10-06-2010 15:23:49.182 DEBUG TailingProcessor - Will attempt to read file: /xxx/logs/weblogic/ib8o0/banking-jsp.log from existing fd.

10-06-2010 15:23:49.183 DEBUG TailingProcessor - About to read data (Reusing existing fd for file='/xxx/logs/weblogic/ib8o0/banking-jsp.log').

10-06-2010 15:23:49.183 DEBUG TailingProcessor - Hit EOF immediately.

10-06-2010 15:23:49.183 DEBUG TailingProcessor - Have definitely hit EOF.

Tags (2)
0 Karma
Reply
2 Solutions
Solved! Jump to solution
Solution

Lowell
Super Champion
‎10-05-2010 01:41 PM

You'll probably need to provide more details about what you are trying to do. You inputs.conf stanza would help. Specific file names that are being ignored would help. (Click the "edit" link under your question to add additional details to your post)

In the mean time, I would recommend seeing if you have any source patterns setup to block some of your files. You can run the following command on some of your files that are currently being blocked:

$SPLUNK_HOME/bin/splunk test sourcetype /path/to/your/logfiles/missing.log

You may also want to run this a the "splunk" user, just to eliminate any possibility of file permission issues.

It may also be enlightening to look around in the _internal index to see if any messages about not being able to process the files in question. (This of course assumes you are forwarding your _internal index). Try a search like this:

 index=_internal sourcetype=splunkd /path/to/your/logfiles/*

View solution in original post

Reply
Solved! Jump to solution
Solution

cafissimo
Communicator
‎10-07-2010 10:30 AM

It seems it was a timestamp recognition problem. I have fixed TIME_FORMAT in props.conf and now the file is being indexed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

cafissimo
Communicator
‎10-07-2010 10:30 AM

It seems it was a timestamp recognition problem. I have fixed TIME_FORMAT in props.conf and now the file is being indexed.

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎10-05-2010 01:41 PM

You'll probably need to provide more details about what you are trying to do. You inputs.conf stanza would help. Specific file names that are being ignored would help. (Click the "edit" link under your question to add additional details to your post)

In the mean time, I would recommend seeing if you have any source patterns setup to block some of your files. You can run the following command on some of your files that are currently being blocked:

$SPLUNK_HOME/bin/splunk test sourcetype /path/to/your/logfiles/missing.log

You may also want to run this a the "splunk" user, just to eliminate any possibility of file permission issues.

It may also be enlightening to look around in the _internal index to see if any messages about not being able to process the files in question. (This of course assumes you are forwarding your _internal index). Try a search like this:

 index=_internal sourcetype=splunkd /path/to/your/logfiles/*
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...