Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I not seeing the logs in splunk GUI after configuring it in deployment servers?

erwinpastor
Explorer
‎11-20-2014 01:08 AM

I have configured the logs in the inputs.conf and added the servers in the serverclass.conf. Preliminary testing done to check if the client servers can connect to the splunk deployment server and communication port - all good.

output.conf looks like the following:

defaultGroup = zone1
disabled = false
[tcpout:zone1]
server = deploymentserver:9996,heavyforwarederserver:9996

[tcpout-server://deploymentserver:9996]
[tcpout-server://heavyforwarder:9996]

inputs.log looks like the following:

[monitor://D:\Program Files (x86)...\vCAC...\Logs*]
index = index_name
sourcetype = sourcetype_name

Additional info: servers have an existing WinEventlog and Perfmon setup in splunk.

For some reason, the changes are not being picked up the splunk GUI. Should there be any other config that needs to be done?

0 Karma
Reply

hagjos43
Contributor
‎11-21-2014 03:48 AM

For one if the following syntax is what you actually have in your inputs.conf it is incorrect.
You have: [monitor://D:Program Files (x86)...vCAC...Logs*]
You should have: [monitor://D:\Program Files (x86)....vCAC....Logs.....*]

you were missing the "\" after the "D:"

0 Karma
Reply

erwinpastor
Explorer
‎11-21-2014 06:01 AM

Sorry, might have been omitted during the paste. But the actual syntaxt has "\" after the "D:". So it is [monitor://D:\Program Files (x86)\...\vCAC\...\Logs\*]

0 Karma
Reply

hagjos43
Contributor
‎11-21-2014 06:11 AM

I've never tried to monitor a path with white spaces in the name. For testing purposes point it to a path with no spaces and see if you have any issues.

0 Karma
Reply

erwinpastor
Explorer
‎11-21-2014 06:28 AM

So the syntax should be like this [monitor://D:\Program*\...\vCAC\...\Logs\*] ? Will an asterisk (*) followed by ellipses (...) work in inputs.conf? Have you tried it before to monitor a path?

0 Karma
Reply

erwinpastor
Explorer
‎11-24-2014 06:22 PM

just tried doing without the spaces by editing the monitor to use Program* but unfortunately it still didn't work.
Any idea how Program Files or Program Files (x86) can be monitored in splunk?

0 Karma
Reply

hagjos43
Contributor
‎11-20-2014 04:31 AM

The inputs.conf file you are talking about above, is that the $splunk\etc\system\local\inputs.conf or $splunk\etc\apps\deployment....\inputs.conf?

0 Karma
Reply

erwinpastor
Explorer
‎11-20-2014 06:19 PM

the one in $splunk\etc\deployment....\inputs.conf

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...