Getting Data In

Upgraded Universal Forwarder, log file no longer monitored

gustavomichels
Path Finder

Hey all,

I'm able to successfully monitor a log file on a Windows server (2008 R2) using the Universal Forwarder while on version 4.3.1. The entry in inputs.conf is a simple [monitor://<path to file>], no additional options are used.

I performed an in place upgrade to UF 6.0.2 and I don't get anything from that file indexed anymore. I still get event log entries, it's just that specific file that is not being indexed.

splunkd.log on the host shows the file is being monitored as I see the TailingProcessor entries mentioning the stanza. splunk list monitor shows the file is being monitored.

Any ideas on how to debug this?

Thank you,

0 Karma
1 Solution

gustavomichels
Path Finder

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

View solution in original post

0 Karma

gustavomichels
Path Finder

I guess I didn't wait long enough. Problem was entries were being indexed with the wrong timestamp. Indexer is in GMT, host is in UTC, so I needed to add _tzhint=UTC to the monitor stanza.

All set now.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...