Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk universal forwarder isnt sending ONE folder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I have a seperate folder that was prebuilt from splunk universal forwarder.
The folder path is :
/opt/splunkforwarder/etc/apps/"MY folders HERE"
one of the folders under /apps IS sending
the other folder is not and all it has is a path of
/apps/NOT SENDING FOLDER/local/input.conf
inside inputs.conf I have
[monitor:///var/log/router/.log]
host_regex=router/(.).log
sourcetype=cisco
index=net
crcSalt=
disabled = 0
this is not monitoring the folder and NO logs are going into splunk
however in the correct folder that is sending i have
[monitor:///var/log/security.log]
sourcetype = seclog
index = sec
disabled = 0
I also have the following folders in the correct logs that i do not have in the no working log
default local metadata README.md static
was wondering if anyone can point me in the direction to help me figure out why one folder is sending but the other isnt.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.
This was resolved by finding out what the issue was and removing empty log files in the directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i fixed this issue but investigating the errors in splunkd logs like manjuanthemeti said above.
This was resolved by finding out what the issue was and removing empty log files in the directory.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think it's something to do with apps. Configurations looks correct. Check user running splunk process has read permissions to log files in directory /var/log/router/.
If user has read permissions then check for any errors in splunkd logs in /opt/splunkforwarder/var/log/splunk/.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
permissions seem fine. they all have root accesss rw both ways
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is root running splunk process? Check splunkd logs /opt/splunkforwarder/var/log/splunk/splunkd.logs and also check if index "net" is created on indexer servers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
very good point I will do.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
both have root access
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
