Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my file not being indexed?

Kozanic
Path Finder
‎07-09-2018 06:12 PM

I'm trying to on-board a new application and having issues from the get go.

Application is IBM IIB and outputs logs in to a number of sub directories beneath 1 parent logs directory.

Logs are single events per log file and a mix of XML and json formats.

I have started with the xml versions and one of the sub folders to confirm that my inputs were working correctly.

There are 3 files in the directory and all 3 show as being read, but only 2 made it to the index and show in search.

Trying to understand the cause of the 3rd not making it to the indexer.

Inputs:

[monitor://Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log]
disabled = false
index = hprg_applog_nonprod
sourcetype = hprg:iib:xml

After setting this and seeing the issue - I ran “splunk list inputstatus” on the server where the files reside and I can see the below output regarding the files: 

    Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log
            type = directory

    Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\20180410_214256_061062_CustomerDominoConsumer_ActivateDeateClient_SOAPRequest.log
            file position = 313
            file size = 313
            parent = Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log
            percent = 100.00
            type = finished reading

    Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\20180410_233834_470779_CustomerDominoConsumer_ActivateDeateClient_SOAPRequest.log
            file position = 313
            file size = 313
            parent = Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log
            percent = 100.00
            type = finished reading

    Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\20180410_234012_541048_CustomerDominoConsumer_ActivateDeateClient_SOAPRequest.log
            file position = 313
            file size = 313
            parent = Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log
            percent = 100.00
            type = finished reading

which to me suggests that Splunk has read and process all 3 files, yet when I run the search “index=_internal host=DWxxxxxS31 q:\”

I get the below: 

05/07/2018
15:38:09.884       
07-05-2018 15:38:09.884 +1000 INFO  Metrics - group=per_source_thruput, series="q:\iib_log\customerdominoconsumer\activatedeactivateclient\mqsiarchive\20180410_234012_541048_customerdominoconsumer_activatedeactivateclient_soaprequest.log", kbps=0.009649, eps=0.063136, kb=0.305664, ev=2, avg_age=3682772.500000, max_age=7365545
host =     DWxxxxxS31 source =        C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log sourcetype =                splunkd
05/07/2018
15:38:09.884       
07-05-2018 15:38:09.884 +1000 INFO  Metrics - group=per_source_thruput, series="q:\iib_log\customerdominoconsumer\activatedeactivateclient\mqsiarchive\20180410_214256_061062_customerdominoconsumer_activatedeactivateclient_soaprequest.log", kbps=0.009649, eps=0.063136, kb=0.305664, ev=2, avg_age=3687826.500000, max_age=7375653
host =     DWxxxxxS31 source =        C:\Program Files\SplunkUniversalForwarder\var\log\splunk\metrics.log sourcetype =                splunkd
05/07/2018
15:37:39.025       
07-05-2018 15:37:39.025 +1000 INFO  TailingProcessor - Adding watch on path: Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive.
host =     DWxxxxxS31 source =        C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype =                splunkd
05/07/2018
15:37:39.025       
07-05-2018 15:37:39.025 +1000 INFO  TailingProcessor - Parsing configuration stanza: monitor://Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log.
host =     DWxxxxxS31 source =        C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log sourcetype =                splunkd

which to me suggests Splunk has only processed 2 of the 3 files, which also fits with the fact that when I search the sourcetype for the input, I’m only getting 2 results.

Looking for any tips / suggestions that might help me trouble shoot this issue.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-12-2018 03:00 AM

Do these files have headers? If the first 256 bytes of the file are the same as the others it will get skipped, and in xml files that can be pretty common. Splunk will not consider the filename as a differentiator by default.

You can use the inputs.conf setting crcSalt to make splunk use the filenames as differentiators In your case

 [monitor://Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log]
crcSalt = <SOURCE>
disabled = false
index = hprg_applog_nonprod
 sourcetype = hprg:iib:xml

View solution in original post

Reply
Solved! Jump to solution

Kozanic
Path Finder
‎07-16-2018 06:13 PM

So......

Seems there was a couple of issues at play here, with a syntax error being the one to stump me for a while.

Thanks jplumsdaine22 for your input - only one to offer anything on the topic. Seems you were 100% on the money.

After modifying the inputs to include crcSalt = , rather than crcSalt = , everything is working as expected.

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎07-12-2018 03:00 AM

Do these files have headers? If the first 256 bytes of the file are the same as the others it will get skipped, and in xml files that can be pretty common. Splunk will not consider the filename as a differentiator by default.

You can use the inputs.conf setting crcSalt to make splunk use the filenames as differentiators In your case

 [monitor://Q:\IIB_Log\CustomerDominoConsumer\ActivateDeactivateClient\mqsiarchive\*.log]
crcSalt = <SOURCE>
disabled = false
index = hprg_applog_nonprod
 sourcetype = hprg:iib:xml
Reply
Solved! Jump to solution

Kozanic
Path Finder
‎07-12-2018 03:18 PM

Thanks jplumsdaine22,

On closer inspection, I actually determined that the contents of 2 of the files was identical so tried adding crcSalt = to my inputs.conf - however it didn't seem to make any difference and still only indexed 2 of the files.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...