Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal Forwarder is not reading the log files

iamsplunker
Communicator
‎11-11-2023 03:31 PM

Hello Splunkers, 

I have an issue with the UF file monitoring where the input is not being monitored/ not forwarding the events to splunk. I do not have access to the server to run the btool.

[monitor:///opt/BA/forceAutomation/workuser.ABD/output/event_circuit.ABD.*]
sourcetype = banana
_meta=Appid::APP-1234 DataClassification::Unclassified
index = test
disabled = 0
crcSalt = <SOURCE>
ignoreOlderThan = 7d

The host(s) are sending _internal logs to Splunk, Here is the info I see in splunkd.log no errors, I tried the wildcard (*) in the monitoring stanza at the end after /output dir however it didn't work

TailingProcessor [ MainTailingThread] - Parsing configuration stanza: monitor :///opt/BA/forceAutomation/workuser.ABD/output/event_circuit.ABD.*

Actual log file 

-rw-r--r--1 automat autouser 6184 Oct 8 00:00 event_circuit.ABD.11082023

 

 

 

Labels (3)
Tags (3)
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎11-11-2023 07:26 PM

Hi @iamsplunker 

from inputs.conf and log file last modified, there is an issue I see 

as log file modified last month and in inputs.conf you mentioned ignoreOlderThan = 7d 

Splunk will ignore log files which are modified more than 7 days ago.

I would suggest comment ignoreOlderThan = 7d  for first time and restart splunkd , 

once splunk reads older file then you can comment again.

0 Karma
Reply

iamsplunker
Communicator
‎11-11-2023 07:32 PM

@SanjayReddy Thanks for your response, I just mentioned the log format. Actually the log file is recent, new file will be generated everyday filename.<date>
I updated my post as well. 

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...