Getting Data In

cannot get data from directory path

jsharvina
New Member

i need to index a bunch of xml logs that have an extension of .stats

i was able to just upload one of them from the same network location, and splunk indexed it just fine. but it refuses to index the lot of them form the path. it doesn't come up with any errors, just doesn't add them to the index.

i have tried J:\jobs\2010-06*.stats and J:\jobs\2010-06\

please help.

thanks,

jane

Tags (1)
0 Karma
1 Solution

Lowell
Super Champion

Two thoughts.

1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)

2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN

How did you get the first file to load?

View solution in original post

0 Karma

Lowell
Super Champion

Two thoughts.

1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)

2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN

How did you get the first file to load?

0 Karma

jsharvina
New Member

mystery solved - it was the fact that the splunk service was running under local user. changing it to a domain account (using the same username and password) made all the logs pile into the index. phew 🙂

0 Karma

jsharvina
New Member

1) the beginning and end characters are not the same for as long as 256 chars

2) searching through internal splunk errors revealed an access is denied error to that directory. i've checked all the permissions though and they're not protected. seems like that's where the issue is though. still remains strange that i was able to import one log from the same location just fine (that was also done through files and directories, but using upload a local file [even though i pointed it to a network location] as opposed to pointing to a path.

still a mystery

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...