- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Why is there issue with Universal Forwarder forwar...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why is there issue with Universal Forwarder forwarding logs to index?
Hi All,
I have installed splunk UF on windows . I have one static log file in system (json) and that need to be monitored. I have configure this in inputs.conf file.
I see only system/application and security logs being sent to indexer whereas the static log file is not seen.
I ran "splunk list inputstatus" and checked,
C:\Users\Administrator\Downloads\test\test.json
file position = 75256
file size = 75256
percent = 100.00
type = finished reading
So, this means the file is being read properly.
What can be the issue that I dont see test.json logs at splunk side ? I tried checking index=_internal at indexer but not able to figure out what is causing issue, I checked few blogs on Internet as well. Can anyone please help on this.
Thanks in Advance,
Newbie to splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[WinEventLog://Application]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[WinEventLog://Security]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[WinEventLog://System]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[monitor://C:\Users\Administrator\Downloads\test\log.json]
disabled = 0
index = test_index
sourcetype = test_sourcetype
This is what my inputs.conf file
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Poojitha,
Splunk doesn't read twice a log, maybe your log was already read, could you try to add this row to ste stanza of your inputs.conf and restart Splunk on Forwarder?
crcSal = <SOURCE>Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Poojitha,
as you can read at https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/Usingforwardingagents and in many other videos, you have to do some preventive actions:
- did you already enable log receiving on Indexers [Settings -- Forwarderding and Receiving -- Receiving]?
- did you already enable log forwarding on Universal Forwarder (outputs.conf or installation procedure)?
- do you see internal logs from that Forwarders on Splunk (index=_internal host=<your_host>)
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello Thanks for your response
- Yes, I have enabled it. I see system, application and security logs from that windows machine but not the log from the static file.
- Yes , I have enabled
- Yes, I checked index=_internal , there are logs from this host.
Searching the index=_internal and this host with the filename (test.json), I see nix_errors with tag=error :
active_searches=15, elapsedTime=0.604, search='pretypeahead
prefix="index=_internal \"test_sourcetype\" \"test-host\" \"test.json
max_time="1" count="50" use_cache=1', savedsearch_name="", drop_count=0, scan_count=0, eliminated_buckets=0, considered_events=0, decompressed_slices=0, events_count=0, total_slices=0, considered_buckets=0, search_rawdata_bucketcache_error=0, search_rawdata_bucketcache_miss=0, search_index_bucketcache_error=0, search_index_bucketcache_hit=0, search_index_bucketcache_miss=0, search_rawdata_bucketcache_hit=0, search_rawdata_bucketcache_miss_wait=0.000, search_index_bucketcache_miss_wait=0.000
What does this imply ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Poojitha,
the above tests were to understand if the connection id correctly establishhed.
Now, could you share your inputs.conf where the file is monitored?
in other words, a file called "inputs.conf" where is located a stanza with
[monitor://C:\Users\Administrator\Downloads\test\test.json]Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[WinEventLog://Application]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[WinEventLog://Security]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[WinEventLog://System]
disabled = 0
index = test_index
sourcetype = test_sourcetype
[monitor://C:\Users\Administrator\Downloads\test\log.json]
disabled = 0
index = test_index
sourcetype = test_sourcetypeThis is how my inputs.conf file looks like
What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience
Take Your Breath Away with Splunk Risk-Based Alerting (RBA)
SignalFlow: What? Why? How?
