Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not indexing the file but configuring inputs.conf?

JordanPeterson
Path Finder
‎05-09-2018 02:25 PM

So I am trying to monitor a file on the local indexer. I am setting it up through the Web UI to be sure it works. I get the following results in my splunkd.log

05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Parsing configuration stanza: monitor:///tmp/TaskStatus.test.log.
05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Adding watch on path: /tmp/TaskStatus.test.log.

But nothing actually shows up in the index. I've edited the file so I know it's changing and I was able to preview the file in the web interface and it loaded fine. The actual input itself is not working. Any thoughts on why?

The inputs.conf that gets created: 

[monitor:///tmp/TaskStatus.test.log]
disabled = false
index = tasklogs
sourcetype =_json

I made the splunk user the owner and verified it had read/write permissions on the file. If I upload the file for one time indexing it works fine.

I can't think of any reason it wouldn't work.

Reply
1 Solution
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-09-2018 09:42 PM

There are many possible reasons:

If timestamping is wrong, the events could be landing in times outside of your expected search window (in the future, for example).
Similar to the above, check MAX_DAYS_HENCE and MAX_DAYS_AGO (and associated logs).
The settings/size of that index may be such that events get expired just after they are indexed.
You might have a firewall running on that indexer blocking outgoing connections to port 9997/9998.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:53 PM

Try splunk show inputstatus on the CLI, as well as splunk list monitor

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...