Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- SplunkUniversalForwarder not forwarding input file...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anantshah
Path Finder
08-22-2011
01:15 PM
We are using SplunkUniversalForwarder 4.2.3 x64 to forward some logs. inputs.conf has the following stanzas
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
[WinEventLog:Application]
disabled = 0
[WinEventLog:System]
disabled = 0
Eventlogs are getting forwarded without any issues but the apache logs are not. I am not seeing any errors in splunkd.log on the forwarder.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anantshah
Path Finder
08-23-2011
01:01 PM
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anantshah
Path Finder
08-23-2011
01:01 PM
I was able to resolve the issue using a whitelist. I think the wild card does not work because (x86) in the path.
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs]
whitelist = Custom[^/]*.log$
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-22-2011
10:45 PM
Hi anaptshah
there are many things, that could prevent a file from being read by the universal forwarder:
- file permission: does the user/service account which runs the splunkd have read access to this file?
- typo in the stanza: does
splunkd.exe list monitorshow your stanza with the correct path? - maybe the file just does not get changed?
- did you restart your universal forwarder? it happened to me sometimes, that after the restart the file gets immediately read by splunk
hope this helps a bit and you get it fixed.
cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anantshah
Path Finder
08-23-2011
10:30 AM
I uploaded the incorrect stanza, the stanza thats not working is as follows
[monitor://D:\Program Files (x86)\MicroStrategy\Web Logs\CustomMSTRLog*]
disabled = 0
sourcetype = stg_mstr_esm_log
crcSalt =
splunkd.exe list monitor shows the directory but does not show any of the files. Is there something special about (x86)? The stanza on the original post works fine.
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
