Getting Data In

Troubleshoot - Linux Universal Forwarder is not forwarding all files

daddyoh
Explorer

We have a UF on RHEL that forwards some files fine but one that is not being forwarded. I recently added a file to forward and it is not being forwarded. We are using splunk light 6.4 and UF 6.4.

I can log into the splunk account for that UF and cat the file. I can see the contents of the file. This is also a file type that is being forwarded on other servers fine. I have restarted the UF several times but no records are being forwarded. The volume of records in the file is low. Yesterday when I added it there were maybe 200 records. Today, after rotation. there are two records.

The records look like:

[26-Jul-2016 08:35:56 America/New_York] PHP Notice:  Trying to get property of non-object in /WWW/repos/kp4/includes/kp4/php/Artemis/Slideshow/Instagram.php on line 70
[26-Jul-2016 08:35:56 America/New_York] PHP Notice:  Trying to get property of non-object in /WWW/repos/kp4/includes/kp4/php/Artemis/Slideshow/Instagram.php on line 79

I'm very new to splunk. We have 5 servers successfully forwarding records from 16 files and folders. We forward about 500MB of records a day.

How can I diagnose this problem? We added this file to splunk via the Data Input menu item on the search head. We run a single search, index, deployment server. Very simple set up.

Thanks in advance for your help.

0 Karma
1 Solution

ddrillic
Ultra Champion

ddrillic
Ultra Champion

The place to start is I can't find my data!

daddyoh
Explorer

@ddrillic

The site won't let me post an answer because I don't have enough reputation points yet.

Thanks for the link. That is the first place I went to.

I did get it to work:

I ran this on the splunk search instance

http://webserlog:8000/en-US/debug/refresh

and restarted the UF instance. The contents of the file is now showing up.

0 Karma

daddyoh
Explorer

I restarted splunk UF and looked at splunkd.log and could not see any references to the file in the log file. No progress.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...