Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is there an issue with monitoring log file monitoring?

akgmail
Engager
‎06-09-2022 09:52 AM

The test_new.html is getting update every 4 hours.The html file may or maynot have same number of lines.

The data is only coming immediately when I am adding say test data into the html file. That means the data flow is not an issue.  

I am expecting it to send me data as and when timestamp of the file changes. 
Need your suggestions on the same.

I have done below configuration

In UF agent I have  added inputs.conf as


[monitor:///root/splunkstorage/test_new.html]
disabled = false
index = test_normal
sourcetype = test:global:testnew:html
crcSalt = <SOURCE>

In the indexer I have props.conf 

[test:global:testnew:html]
DATETIME_CONFIG = CURRENT
CHECK_METHOD = modtime
LINE_BREAKER = (<html><body>)
NO_BINARY_CHECK = true
SEDCMD-addvalues = s/<head>/<html><body>\n<head>/g
TRUNCATE = 0
category = Custom
disabled = false
pulldown_type = true

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-09-2022 05:27 PM

You did restart the UF after changing the inputs.conf file, right?

Check the UF's logs to see if it explains why it's not reading the file.

BTW, if you change the LINE_BREAKER to 

LINE_BREAKER = ()<html><body>

then you won't need the SEDCMD.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akgmail
Engager
‎06-10-2022 03:34 AM

Hi ,
Thanks for your response.

Yes I have restarted UF agent multiple times. I have check the logs index=_intenal host="uf_agent" source=splunkd I have not seen any ERROR.

I tested it again as I added a line to the test_new.html I can see the data immediately.

0 Karma
Reply

akgmail
Engager
‎06-10-2022 04:13 AM

If I am say adding a text "hello world" to test_new.html and saving it I am getting data in splunk.

However if I am doing vi test_new.html and saving the file I am not getting any data in splunk.

It seems to be weird issue .

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...