Hi All,
i have added an input to ingest one file into splunk from deployment server
i have created new app and created inputs file as below
but logs are not coming for this
In the app configuration under Forwarder Management, have you selected "Restart Splunkd" option? Configurations will come into place once splunkd is restarted on the servers where this app is being deployed. Select the option if you haven't already and reload the server class using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" (Remove double quotes and replace $SPLUNK_HOME with your environment variable). Once the forwarders phone home to the DS, they will pick this app again and restart Splunkd on the servers.
Also, please check if there are any error messages using the following search by substituting the name of the servers that are supposed to send logs. Also, you can confirm if these servers are actually phoning home to your deployment server or not. The last thing to check once its ensured that the servers are phoning home to DS, app is deployed to the server and splunkd has been restarted on them would be to check if the user which was used to install Splunk UFs on the servers has enough privileges to read the logs.
index=_internal host=<host_name> log_level IN ("ERROR", "WARN")
++IF it helps, please consider accepting as an answer++
#cat inputs.conf
[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0
Hi @sekhar463,
are you sxure that this is the /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file?
because in the error message are listed errors at rows 5,6 and 7 but you have only 4 rows.
Is there something else after the dispalyed rows?
Ciao.
Giuseppe
nothing was there
yes the file in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file
Hi @sekhar463,
one additional question, is the app correctly deployed to the clients and sending logs?
Ciao.
Giuseppe
yes it was deployed for one client but not getting logs
Hi @sekhar463,
are there logs to ingest at the location you ha in inputs.conf?
are you receiving internal ot other logs from that server?
Ciao.
Giuseppe
yes receiving internal logs as well
but didnt get the logs from the file.
[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0
Hi @sekhar463,
let me understand:
is it correct?
if yes, at first check if you're receiving logs from that client using a simple search:
index=_internal host=<your_host>
if you have results connection is established otherwise, you have to check your connection.
If connection is established you hav eto debug your inputs.conf, one question:
if, as I suppose, it's a folder, you have to add to the filename in the inputs.conf stanza, so if you want to take all the *.log files, you have to use:
[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = false
or using whitelist.
Ciao.
Giuseppe
i have ingested using below but not getting logs
here are the internal logs for this file
2/7/23 1:18:01.382 PM | 02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 7: checkpointInterval (value: 5).\n
| |
2/7/23 1:18:01.382 PM | 02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 6: current_only (value: 1).\n
| |
2/7/23 1:18:01.382 PM | 02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 5: start_from (value: oldest).\n
|
Hi @sekhar463,
this means that in the splunk_netapp_agentlog/local/inputs.conf file there are two errors, could you share this file?
Ciao.
Giuseppe
its resolved as we missed app.conf file in the local
Hi @sekhar463,
if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the Contributors;-)