Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not indexing the file but configuring inputs.conf?

JordanPeterson
Path Finder
‎05-09-2018 02:25 PM

So I am trying to monitor a file on the local indexer. I am setting it up through the Web UI to be sure it works. I get the following results in my splunkd.log

05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Parsing configuration stanza: monitor:///tmp/TaskStatus.test.log.
05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Adding watch on path: /tmp/TaskStatus.test.log.

But nothing actually shows up in the index. I've edited the file so I know it's changing and I was able to preview the file in the web interface and it loaded fine. The actual input itself is not working. Any thoughts on why?

The inputs.conf that gets created: 

[monitor:///tmp/TaskStatus.test.log]
disabled = false
index = tasklogs
sourcetype =_json

I made the splunk user the owner and verified it had read/write permissions on the file. If I upload the file for one time indexing it works fine.

I can't think of any reason it wouldn't work.

Reply
1 Solution
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-09-2018 09:42 PM

There are many possible reasons:

If timestamping is wrong, the events could be landing in times outside of your expected search window (in the future, for example).
Similar to the above, check MAX_DAYS_HENCE and MAX_DAYS_AGO (and associated logs).
The settings/size of that index may be such that events get expired just after they are indexed.
You might have a firewall running on that indexer blocking outgoing connections to port 9997/9998.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:53 PM

Try splunk show inputstatus on the CLI, as well as splunk list monitor

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...