Getting Data In

Why am I not seeing the events for a file?

sekhar463
Path Finder

Hi All,

i have added an input to ingest one file into splunk from deployment server

i have created new app and created inputs file as below

but logs are not coming for this 

Labels (4)
0 Karma

shivanshu1593
Builder

In the app configuration under Forwarder Management, have you selected "Restart Splunkd" option? Configurations will come into place once splunkd is restarted on the servers where this app is being deployed. Select the option if you haven't already and reload the server class using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" (Remove double quotes and replace $SPLUNK_HOME with your environment variable). Once the forwarders phone home to the DS, they will pick this app again and restart Splunkd on the servers.

Also, please check if there are any error messages using the following search by substituting the name of the servers that are supposed to send logs. Also, you can confirm if these servers are actually phoning home to your deployment server or not. The last thing to check once its ensured that the servers are phoning home to DS, app is deployed to the server and splunkd has been restarted on them would be to check if the user which was used to install Splunk UFs on the servers has enough privileges to read the logs. 

 

index=_internal host=<host_name> log_level IN ("ERROR", "WARN")

 

 ++IF it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

sekhar463
Path Finder

#cat inputs.conf
[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

are you sxure that this is the /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file?

because in the error message are listed errors at rows 5,6 and 7 but you have only 4 rows.

Is there something else after the dispalyed rows?

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

nothing was there 

yes the file in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

one additional question, is the app correctly deployed to the clients and sending logs?

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

yes it was deployed for one client but not getting logs

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

are there logs to ingest at the location you ha in inputs.conf?

are you receiving internal ot other logs from that server?

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

yes receiving internal logs as well 

but didnt get the logs from the file.

 

 

0 Karma

sekhar463
Path Finder

[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

let me understand:

  • you created an app,
  • this appa contains the inputs.conf you shared,
  • you deployed the app using the deploymrnt server to a client,
  • you're not receiving logs from that client,

is it correct?

if yes, at first check if you're receiving logs from that client using a simple search:

index=_internal host=<your_host>

if you have results connection is established otherwise, you have to check your connection.

If connection is established you hav eto debug your inputs.conf, one question:

  • /harvest/netapp/cloudsecure/agent-logs is a folder or a filename?

if, as I suppose, it's a folder, you have to add to the filename in the inputs.conf stanza, so if you want to take all the *.log files, you have to use:

[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = false

or using whitelist.

Ciao.

Giuseppe

sekhar463
Path Finder

i have ingested using below but not getting logs

here are the internal logs for this file

 

2/7/23
1:18:01.382 PM
 
02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 7: checkpointInterval (value: 5).\n
 2/7/23
1:18:01.382 PM
 
02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 6: current_only (value: 1).\n
 2/7/23
1:18:01.382 PM
 
02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 5: start_from (value: oldest).\n
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

this means that in the splunk_netapp_agentlog/local/inputs.conf file there are two errors, could you share this file?

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

its resolved as we missed app.conf file in the local 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...