Getting Data In

Splunk universal forwarder isnt sending ONE folder

rtalcik
Path Finder

So I have a seperate folder that was prebuilt from splunk universal forwarder.

The folder path is :

/opt/splunkforwarder/etc/apps/"MY folders HERE"

one of the folders under /apps IS sending

the other folder is not and all it has is a path of

/apps/NOT SENDING FOLDER/local/input.conf

inside inputs.conf I have

[monitor:///var/log/router/.log]
host_regex=router/(.
).log
sourcetype=cisco
index=net
crcSalt=
disabled = 0

this is not monitoring the folder and NO logs are going into splunk

however in the correct folder that is sending i have
[monitor:///var/log/security.log]
sourcetype = seclog
index = sec
disabled = 0

I also have the following folders in the correct logs that i do not have in the no working log

default local metadata README.md static

was wondering if anyone can point me in the direction to help me figure out why one folder is sending but the other isnt.

0 Karma
1 Solution

rtalcik
Path Finder

So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.

This was resolved by finding out what the issue was and removing empty log files in the directory.

View solution in original post

0 Karma

rtalcik
Path Finder

So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.

This was resolved by finding out what the issue was and removing empty log files in the directory.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

I don't think it's something to do with apps. Configurations looks correct. Check user running splunk process has read permissions to log files in directory /var/log/router/.

If user has read permissions then check for any errors in splunkd logs in /opt/splunkforwarder/var/log/splunk/.

0 Karma

rtalcik
Path Finder

permissions seem fine. they all have root accesss rw both ways

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Is root running splunk process? Check splunkd logs /opt/splunkforwarder/var/log/splunk/splunkd.logs and also check if index "net" is created on indexer servers.

0 Karma

rtalcik
Path Finder

very good point I will do.

0 Karma

rtalcik
Path Finder

both have root access

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Avoid Certificate Expiry Issues in Splunk Enterprise with Certificate Assist

This blog post is part 2 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...