Getting Data In
Highlighted

Why is only the first log file indexed, not the entire directory of SSRS logs being monitored?

Path Finder

I am indexing SSRS logs. The path to the logs is: C:\Program Files\MSRS12.MSSQLSERVER\Reporting Services\LogFiles. The forwarder sends and the indexer receives but it is only indexing the first log file in the directory. For example, we added a new server that has SSRS logs. I put a monitor in inputs.conf for the path to the log files. In that directory it has logs dating from 5/5/2015 - 5/21/2015. I go to our Splunk instance and do a simple search for index=ssrs and it populates data but the most recent date is 5/5/2015. None of the other log files have been indexed. Any suggestions?

Highlighted

Re: Why is only the first log file indexed, not the entire directory of SSRS logs being monitored?

Influencer

Are the first 256 bytes of each file the same? (Offhand I think it's 256 bytes for the hashing that the forwarder does) a possibility is that could the forwarder be thinking these are rolls of the same file and therefore not indexing any beyond the first (if this is the problem you would solve this with crcSalt=<SOURCE> in inputs.conf on the forwarder (double check exact syntax here, I'm on my phone)

View solution in original post

Highlighted

Re: Why is only the first log file indexed, not the entire directory of SSRS logs being monitored?

Path Finder

Yes, there is a header at the beginning of each log file that has the same information. I will add it to inputs.conf and give it a shot. Thank you!

Seems to be working fine now. That addition to inputs.conf did the trick. Thank you very much sir!

0 Karma
Highlighted

Re: Why is only the first log file indexed, not the entire directory of SSRS logs being monitored?

Influencer

Excellent! (Converted to an answer so it can be marked as accepted)

0 Karma