Hello fellow splunk users!
I am encountering a problem with indexing .csv files.
A bit of background story:
I am trying to index Windows Server 2003 data. Installing an universal forwarder does not work on this machine (the OS is too old apparently). Therefore, I installed a tool on the machine that forwards the logs to a syslog server. This works flawlessly.
The syslog server (Windows Server 2012 R2) stores the logs from the Windows 2003 Server in a local folder (C:/syslogServer/). This folder contains subfolders for each machine the syslog server collects data from (C:/syslogServer/win2003). The subfolders contain .csv files. I would like splunk to index those files.
The syslog server has an universal forwarder installed and on my distribution server I tried to configure a Data Input collecting the .csv files.
I tried all variants:
- telling splunk the path to C:/syslogServer (apparently it should recursively index all subfolders / contained files)
- telling splunk the path to C:/syslogServer/win2003
- telling splunk the path to the file I would like to index directly: C:/syslogServer/win2003/file.csv
See image for details.
I also tried uninstalling the universial forwarder on the syslog server and reinstalling it to tell the installer that I want to index the file (thus not using the deoployment server, but manually entering the indexer)
- no data from the created index is being found
- no data from the given source is being found
- no data from the given source type is being found
Also, I could not find any error messages in the log files. (python.log, splunkd.log)
Can someone please tell me what to do? Or is there any other way to index data from a Windows 2003 server?
You can install a Splunk 6.2.x Universal Forwarder on Windows 2003. Here is a link to the system requirements page:
You can download that installation package here:
With regards to your setup on the Windows Server 2012 with a Splunk Universal Forwarder, what are the settings in your inputs.conf? Can you confirm the configuration on your UF by running the btool command to get the combined configuration:
splunk btool inputs list --debug > outputfile.txt
Confirm that the input is configured, has the correct index and sourcetype. On the Search Head, run index= and see if that data or sourcetype is visible. If it is going to an index you are not configured to search by default, the data will not appear unless you specify the index.
Thank you - I feel stupid for not trying to install an older version . I ended up installing version 6.1.9. Starting with 6.2.x Windows 2003 was not listed in the supported systems any longer (Windows 7, 8, and 8.1 (32-bit)
Windows Server 2008 (32-bit)).
Of course this forwarder works and sends data to my indexer just fine.
I could not find any indicators that the configured input is taken into account and I can't figure out why.
The folder containing the inputs.conf is deployed to the Windows 2012 R2 server but running the btool reveals that the forwarder seemingly does not care about what's written there (searching for the file path in the outputfile.txt does not yield any results).
Even if my "collecting Windows 2003 logs"- problem is solved, I feel like there is an underlying problem I should work on. Do you have any idea why the inputs.conf in the deployed app is not taken into account?
Thanks a lot for your help!
I apologize, the download page itself doesn't list "2003" however 6.2 does support Windows 2003 for installing a Universal Forwarder. This is more an issue with the formatting constraints of the site from my understanding. You can cross check the supported OS chart here: http://docs.splunk.com/Documentation/Splunk/6.2.0/Installation/Systemrequirements#Windows_operating_.... As you will find, on the right hand side, Universal Forwarder is checked for both Windows 2003/2003R2 64bit as well as 32bit. You can use the x86\64bit package found here: http://www.splunk.com/page/previous_releases#x86_64windows,
With regards to your input. Are you certain the settings are deployed? On the UF, if you browse to
$SPLUNK_HOME\etc\apps\do you see the app where the settings are deployed to? If so, is there an inputs.conf file in the
$SPLUNK_HOME\etc\apps\local directory? If not, you can try adding the configuration directly to the UF by editing the relevant settings under
$SPLUNK_HOME\etc\system\local\. Here are some reference document in case you may find them helpful.
Oh, I see. Thank you for the links.
Yes, the app is in the
$SPLUNK_HOME\etc\apps\ folder and contains an inputs.conf within its local folder. I am using the deployment server for deploying apps to various machines and so far there have not been any problems. I really can't figure out why this input is not working.
Also, I tried to manually configure the file input during forwarder installation for testing purposes. Unfortunately, the data from the file is still not being indexed.
Anyhow, my main problem was solved by installing the older forwarder on the Windows 2003 machine, therefore I will accept your answer. Thanks a lot for your help!