Getting Data In

UF is not forwarding the JSON data to indexers

Path Finder

Hello,

I configured the UF to monitor a JSON file in a specific directory but its not forwarding it to the indexers

the output is working properly as there are files being sent to indexers

here is my input file
[monitor://C:\temp*.json]
index=test1
sourcetype=test_styp

my props
[teststyp]
INDEXED
EXTRACTIONS =json
SHOULDLINEMERGE=false
NO
BINARYCHECK=true
TIME
FORMAT=%Y-%m-%dT%H:%M:%S.%3N+%4N
TIMEPREFIX="observedTime":"
MAX
TIMESTAMP_LOOKAHEAD=28

the splunk logs is stating the following " Adding watch on path splunk [monitor://C:\temp*] but nothis being ingested

i tried running this SPL search on my SH to check if something related to JSON extraction is but nothing returned

test_styp | rex "incoming=\"(?.+)\", transformed=" | spath = incoming

Could you please help ?

0 Karma
1 Solution

Path Finder

The file format was the issue - I also uploaded the file into splunk instance and generates the props file then copied it to where the UF is installed

View solution in original post

0 Karma

Path Finder

The file format was the issue - I also uploaded the file into splunk instance and generates the props file then copied it to where the UF is installed

View solution in original post

0 Karma

Path Finder

So i got the file now ingested into indexers (There was something wrong with the file format) but im having problems extracting the JSON fields properly . im not getting all of the lines .

Here is my props file now

[test]
DATETIMECONFIG =
INDEXED
EXTRACTIONS = json
KVMODE = none
LINE
BREAKER = ([\r\n]+)
NOBINARYCHECK = true
category = Structured
disabled = false
pulldown_type = true

0 Karma

SplunkTrust
SplunkTrust

Please post a new question showing the original data and what is indexed.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Influencer

1. If temp is directory then monitor should be:

 [monitor://C:\temp\*.json]

2. If not, then check user running splunk forwarder service has access to C:\temp*.json.

3. Search the data with index name.

index=test1 sourcetype=test_styp
0 Karma

Path Finder

Thanks Manjunath,

I actually have it that way with the temp*.json . And i tried the full syntax ( index,sourcetype) , nothing changed. I checked the user access and has a full access to that path.

0 Karma

Motivator

Hello @newsplunker1

can you check that your monitor stanza includes disabled = 0? If you don't set it to 0 (zero), then it is disabled by default:

disabled = [0|1]
* Whether or not the event collector input is active.
* Set this setting to "1" to disable the input, and "0" to enable it.
* Default: 1 (disabled).
0 Karma

Path Finder

Thanks Pave - Did that but no changes

0 Karma

Motivator

Have you restarted splunk?

0 Karma

Path Finder

Yes i restarted after making the changes . I keep seeing this "TailingProcessor - Adding watch on path: C:\temp\ . so to me , its able to see the path but not able to read it ? if so , the splunk account has access to that path , so i dont know whats going on

0 Karma

Motivator

run this query in CMD (adjust the splunk path as needed):

C:\programfiles\splunkforwarder\bin\splunk.exe    _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
0 Karma

Path Finder

So i got the file now ingested into indexers (There is something wrong with the file format) but im having problem extracting the JSON fields properly .

0 Karma

Motivator

Hello @newsplunker1

glad you worked it out!

Please create a new question, so more people can see it and help!

0 Karma

SplunkTrust
SplunkTrust

Search for index=test1 sourcetype=test_styp to see if you find anything. Searches should always specify an index name.
Verify Splunk can read the files. Run splunk list monitor on the UF to see if the file is really being monitored.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Path Finder

Thanks rich,
I tried that but nothing returned - i tried the splunk list command and showed no directory is being monitored which is weird because i have other directories working properly .

0 Karma