Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is Splunk not indexing the file but configuring inputs.conf?

JordanPeterson
Path Finder
‎05-09-2018 02:25 PM

So I am trying to monitor a file on the local indexer. I am setting it up through the Web UI to be sure it works. I get the following results in my splunkd.log

05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Parsing configuration stanza: monitor:///tmp/TaskStatus.test.log.
05-09-2018 16:05:44.453 -0500 INFO  TailingProcessor - Adding watch on path: /tmp/TaskStatus.test.log.

But nothing actually shows up in the index. I've edited the file so I know it's changing and I was able to preview the file in the web interface and it loaded fine. The actual input itself is not working. Any thoughts on why?

The inputs.conf that gets created: 

[monitor:///tmp/TaskStatus.test.log]
disabled = false
index = tasklogs
sourcetype =_json

I made the splunk user the owner and verified it had read/write permissions on the file. If I upload the file for one time indexing it works fine.

I can't think of any reason it wouldn't work.

Reply
1 Solution
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

JordanPeterson
Path Finder
‎05-10-2018 01:13 PM

The issue was it was stuck in ingestion queue. I changed how it acted when the file was in use in my inputs and props and it appears to be working now.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-09-2018 09:42 PM

There are many possible reasons:

If timestamping is wrong, the events could be landing in times outside of your expected search window (in the future, for example).
Similar to the above, check MAX_DAYS_HENCE and MAX_DAYS_AGO (and associated logs).
The settings/size of that index may be such that events get expired just after they are indexed.
You might have a firewall running on that indexer blocking outgoing connections to port 9997/9998.

0 Karma
Reply
Solved! Jump to solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:53 PM

Try splunk show inputstatus on the CLI, as well as splunk list monitor

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top