Getting Data In

Why is Splunk not indexing the file but configuring inputs.conf?

JordanPeterson
Path Finder

So I am trying to monitor a file on the local indexer. I am setting it up through the Web UI to be sure it works. I get the following results in my splunkd.log

05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Parsing configuration stanza: monitor:///tmp/TaskStatus.test.log.
05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Adding watch on path: /tmp/TaskStatus.test.log.

But nothing actually shows up in the index. I've edited the file so I know it's changing and I was able to preview the file in the web interface and it loaded fine. The actual input itself is not working. Any thoughts on why?

The inputs.conf that gets created:

[monitor:///tmp/TaskStatus.test.log]
disabled = false
index = tasklogs
sourcetype =_json

I made the splunk user the owner and verified it had read/write permissions on the file. If I upload the file for one time indexing it works fine.

I can't think of any reason it wouldn't work.

1 Solution

JordanPeterson
Path Finder

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

View solution in original post

0 Karma

JordanPeterson
Path Finder

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

0 Karma

woodcock
Esteemed Legend

There are many possible reasons:

If timestamping is wrong, the events could be landing in times outside of your expected search window (in the future, for example).
Similar to the above, check MAX_DAYS_HENCE and MAX_DAYS_AGO (and associated logs).
The settings/size of that index may be such that events get expired just after they are indexed.
You might have a firewall running on that indexer blocking outgoing connections to port 9997/9998.

0 Karma

xpac
SplunkTrust
SplunkTrust

Try splunk show inputstatus on the CLI, as well as splunk list monitor

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...