No ERROR or WARN, but I do see this:

01-29-2021 09:36:05.565 -0700 INFO TailingProcessor - Adding watch on path: /hana/shared.
• host = XXXXXXX
• source = /opt/splunkforwarder/var/log/splunk/splunkd.log
sourcetype = splunkd

01-29-2021 09:36:05.565 -0700 INFO TailingProcessor - Parsing configuration stanza: monitor:///hana/shared/*/HDB00/*/trace.
• host = XXXXXXX
• source = /opt/splunkforwarder/var/log/splunk/splunkd.log
• sourcetype = splunkd

Hello Bro.,  would you share how I would look for a list of "missing indexes" in Splunk Ent.  please? The error I get says: Events not received from missing indexes". How would I fix "missing indexes issues" please? Thanks a million. teşekkürler.

Hi @SamHTexas,

The solution is to create those missing indexes shown on messages on your indexers. I assume you are running clustered environment, you should do this on your cluster master and distribute it to your indexers.

If you want to check if you have an input that setup for non-exist index, you should check all your inputs.conf files for index values and compare them with your cluster indexes.conf files.

The files are *trc, and the sub-directory under shared always end in 1, so I updated the monitor line like so:

[monitor:///hana/shared/*1/XXX00/*/trace/*.trc]

 I then ran 'splunk list inputstatus' from the UF, and it looks like splunk is seeing the correct log files. Here is a snippet from the output:

/hana/shared/SE1/XXX00/xxxxxxx/trace/system_availability_xxxxxxxxxxxx.trc
                file position = 39983
                file size = 39983
                parent = /hana/shared/*1/XXX00/*/trace/*.trc
                percent = 100.00
                type = finished reading

        /hana/shared/SE1/HDB00/xxxxxxx/trace/webdispatcher_xxxxxxxxxx.30006.000.trc
                file position = 257800
                file size = 257800
                parent = /hana/shared/*1/XXX00/*/trace/*.trc
                percent = 100.00
                type = open file

 I still don't see any data in the 'sap' index though.

Hi @emsecrist,

Splunk seems successfully hit the correct files. I believe these trace files are not plain text. That is why it cannot index. Maybe you can use DBConnect to query these trace info.

@scelikok One more question... If I wanted to monitor all the log files in the .../trace directory, how could I do that?

Great! 😊 

You can try below;

[monitor:///hana/shared/*/XXX00/*/trace/*]
sourcetype = sap-hana-trace
index = sap

The data shows up now! I re-did the search with a longer time range, and it's there. Thank you for the help!

Thanks, tried that command, still no data.

If you're desperate try

index=* source="/hana/*"

Have you confirmed the forwarder has read access to the file path it's trying to monitor?  

How many files are in that path?  I'm wondering if it's more than the UF can handle.

Yes I am desperate. 😀

Tried that search, no data found. The UF does have access to the directory. The directory contains 2715 files.

Yes I am able to see the internal logs from those UFs, and yes the UF restart is enabled after deployment. I even manually restarted one of the UFs. I also switched to the splunk user and verified read access to the directory and files.

What splunk list inputstatus shows on UF?

Probably you have already check these: https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

r. Ismo

That is a helpful command, 'splunk list inputstatus', it provides a lot of information! I am doing some analysis of the output, I will let you know if I find anything interesting.