Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SplunkUniversalForwarder not forwarding input files

anantshah
Path Finder
‎08-22-2011 01:15 PM

We are using SplunkUniversalForwarder 4.2.3 x64 to forward some logs. inputs.conf has the following stanzas

[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =

[WinEventLog:Application]
disabled = 0

[WinEventLog:System]
disabled = 0

Eventlogs are getting forwarded without any issues but the apache logs are not. I am not seeing any errors in splunkd.log on the forwarder.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

anantshah
Path Finder
‎08-23-2011 01:01 PM

I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.

[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

anantshah
Path Finder
‎08-23-2011 01:01 PM

I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.

[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =

View solution in original post

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎08-22-2011 10:45 PM

Hi anaptshah

there are many things, that could prevent a file from being read by the universal forwarder:

  • file permission: does the user/service account which runs the splunkd have read access to this file?
  • typo in the stanza: does splunkd.exe list monitor show your stanza with the correct path?
  • maybe the file just does not get changed?
  • did you restart your universal forwarder? it happened to me sometimes, that after the restart the file gets immediately read by splunk

hope this helps a bit and you get it fixed.

cheers

Reply
Solved! Jump to solution

anantshah
Path Finder
‎08-23-2011 10:30 AM

I uploaded the incorrect stanza, the stanza thats not working is as follows

[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =

splunkd.exe list monitor shows the directory but does not show any of the files. Is there something special about (x86)? The stanza on the original post works fine.

0 Karma
Reply
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!

Get Updates on the Splunk Community!