Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why am I getting logs in but they are not going to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have deployed an app. I have checked all of the following again and again they look flawless.
inputs.conf
props.conf
serverclass.conf
indexes.conf
When i try to search for data by hosts, the events are there. They are going to _internal , _os not to the index I created doit_app_c4_168.
It means forwarders are forwarding the data, but it is not getting indexed properly. The index has been created, I checked that on the cluster master also.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that the events/data you expect to go into index=doit_app_c4_168 are ending up in index=_internal? Or are you just seeing data appear in the internal indexes for the Forwarder that you expect the data to come from?
Can you share your settings for:
From UF:
inputs.conf
From IDX:
props.conf
indexes.conf
For troubleshooting this, you don't want to rely just on what you put into the conf files. At runtime Splunk will coalesce all of the conf files from all of the underlying default/local directories of etc/system and etc/apps. So you should also use btool to help see what is going on.
For example, let's say you want to check the runtime status of your input stanza for your log file, and your definition in this case is called "doit_app_logs". You would run the following on the forwarder:
splunk btool inputs list | grep "\[doit_app_logs\]" -A 10
You can do the same from an Indexer to check on the runtime configs of your index, too:
splunk btool indexes list | grep "\[doit_app_c4_168\]" -A 10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that the events/data you expect to go into index=doit_app_c4_168 are ending up in index=_internal? Or are you just seeing data appear in the internal indexes for the Forwarder that you expect the data to come from?
Can you share your settings for:
From UF:
inputs.conf
From IDX:
props.conf
indexes.conf
For troubleshooting this, you don't want to rely just on what you put into the conf files. At runtime Splunk will coalesce all of the conf files from all of the underlying default/local directories of etc/system and etc/apps. So you should also use btool to help see what is going on.
For example, let's say you want to check the runtime status of your input stanza for your log file, and your definition in this case is called "doit_app_logs". You would run the following on the forwarder:
splunk btool inputs list | grep "\[doit_app_logs\]" -A 10
You can do the same from an Indexer to check on the runtime configs of your index, too:
splunk btool indexes list | grep "\[doit_app_c4_168\]" -A 10
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
