Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is splunk not indexing new files in monitered folder?

jameshgibson
Path Finder
‎01-11-2013 01:46 AM

This is on a Windows box to a windows network location. I have set up an input on a folder located on a network drive with the following in my inputs.conf

[monitor://\\myserver\tempfolder$\Logs\logfileprefix*]
disabled = false
followTail = 0
host = myserver
sourcetype = my-source-type
index = main

However no logs are getting indexed. I have already checked that the splunk account can access this folder.

EDIT 2: In the splunk management page you can see that it has found hundreds of files to index. But they cannot be found when searching.

EDIT: I can index the files using splunks oneshot command

splunk add oneshot "\\myserver\tempfolder$\Logs\logfileprefix.log" -sourcetype "my-source-type" -index "main" -host "%host%"

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎01-28-2013 07:49 AM

turns out this was nothing to do with any of the characters or permissions. For some reason the ending of logfileprefix* was causing the problem (despite working on non network folders). I swapped this to use a whitelist instead...which didn't work. Finally I added a blacklist which did.

The final working config looks similar to:

[monitor://\\myserver\tempfolder$\Logs]
disabled = false
followTail = 0
sourcetype = mysourcetype
whitelist =
blacklist = (something|BLAH\-[0-9]+)
index = tmp

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jameshgibson
Path Finder
‎01-28-2013 07:49 AM

turns out this was nothing to do with any of the characters or permissions. For some reason the ending of logfileprefix* was causing the problem (despite working on non network folders). I swapped this to use a whitelist instead...which didn't work. Finally I added a blacklist which did.

The final working config looks similar to:

[monitor://\\myserver\tempfolder$\Logs]
disabled = false
followTail = 0
sourcetype = mysourcetype
whitelist =
blacklist = (something|BLAH\-[0-9]+)
index = tmp

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-11-2013 08:18 AM

Check if your file have a static header, and are skipped because they are considered as duplicates. Test by adding a comment on the first line, and look at the crc options in inputs.conf

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎01-11-2013 09:34 AM

ok, so this is an input misconfigured, or a permission issue.
Or a forwarding issue. (to check if the forwarding if working for other files , search on the indexer for index=_internal host=myfowarder)

0 Karma
Reply
Solved! Jump to solution

season88481
Contributor
‎06-07-2016 10:49 PM

I have the same problem. So I add a fake header on my new files. And Splunk start ingesting the file!! Thanks for your tips!!!

0 Karma
Reply
Solved! Jump to solution

jameshgibson
Path Finder
‎01-11-2013 08:38 AM

the files not indexed are completely new with a different name and timestamp etc. so I dont think this is the problem.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-11-2013 02:01 AM

Hi jameshgibson

does the account running splunkd have network access? By default this is not allowed for system services, so you have to enable this first.

cheers,
MuS

Reply
Solved! Jump to solution

jameshgibson
Path Finder
‎01-11-2013 08:52 AM

gave changing the user account a bash, but no change unfortunatly

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-11-2013 06:49 AM

found this one, where the solution was to use a different user to run splunk -> http://splunk-base.splunk.com/answers/4614/how-do-i-monitor-a-unc-path

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-11-2013 06:44 AM

ok then quick and dirty test, use the unc path without $ and see if it works. If yes; you can file a case and ask support how this must be done with a hidden unc share

0 Karma
Reply
Solved! Jump to solution

jameshgibson
Path Finder
‎01-11-2013 06:38 AM

I saw that but from the answer I can't see anything he changed to fix it. Also the answer directly below seems to suggest that it is not the case.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-11-2013 04:59 AM

this is related to authentication between search heads and search peers and not file monitoring -> http://splunk-base.splunk.com/answers/27523/splunkdlog-denied-session-token-for-user-splunk-system-u...
but check this out http://splunk-base.splunk.com/answers/58727/unc-path-with-sign looks like the $ is your problem

0 Karma
Reply
Solved! Jump to solution

jameshgibson
Path Finder
‎01-11-2013 04:53 AM

getting a lot of warnings for: 01-11-2013 10:00:43.134 +0000 WARN AdminHandler:AuthenticationHandler - Denied session token for user: splunk-system-user

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎01-11-2013 04:39 AM

do you get any errors in splunkd.log?

0 Karma
Reply
Solved! Jump to solution

jameshgibson
Path Finder
‎01-11-2013 03:19 AM

Good idea but I assume that as splunk oneshot works then it must be able to access it.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...