Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunkforwarder not collecting some logging data from host?

joesrepsol
Path Finder
‎01-30-2018 10:19 AM

Running Splunk 6.5.0, host in question is a linux box, seeing that it's collecting _internal logs, other defined "apps" for NMON, BladeLogic, OS, etc... all working fine. But there are other apps that seemed to stop collecting data since 1/18/2018 for some reason.

I've logged into the host, became the "splunk" user and validated access to the logs in question. no permissions issues. That works.
I've check the log, and there is new data there, so that looks good too.
I've restarted the splunkforwarder, everything else collecting data, just not this particular app.

Where do I go from here? Should i look into the fish bucket (not entirely sure what to do in there anyways).

Thanks!

Joe

Tags (1)
0 Karma
Reply

joesrepsol
Path Finder
‎01-30-2018 12:43 PM

Looking into this "tailing process" you listed...

Yes, the app is enable. There are (3) files we're monitoring. The other 2 working fine. Definitely a strange issue. The "system_logs" are the ones that mysteriously stopped working.

INPUTS.CONF
[monitor:///var/logs/cassandra/system.log]
disabled = false
sourcetype = system_logs
index = cassandra

[monitor:///var/logs/cassandra/audit/audit.log]
disabled = false
sourcetype = audit_logs
index = cassandra

[monitor:///var/logs/cassandra/solrvalidation.log]
disabled = false
sourcetype = solrvalidation_logs
index = cassandra

0 Karma
Reply

traxxasbreaker
Communicator
‎01-30-2018 12:36 PM

Do you still see the apps with the logs that stopped collecting present on that forwarder, and are those apps/inputs enabled?

If that looks good, you can also check the TailingProcessor:FileStatus as outlined here to make sure that Splunk is actually watching those files and see whether it is reporting any problems with them.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...