Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: cannot get data from directory path
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i need to index a bunch of xml logs that have an extension of .stats
i was able to just upload one of them from the same network location, and splunk indexed it just fine. but it refuses to index the lot of them form the path. it doesn't come up with any errors, just doesn't add them to the index.
i have tried J:\jobs\2010-06*.stats and J:\jobs\2010-06\
please help.
thanks,
jane
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two thoughts.
1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)
2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN
How did you get the first file to load?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two thoughts.
1.) Do any of these files contain the exact same information. Or is it possible they that would have the same first/last 256 bytes? If so, you could try adding crcSalt = <SOURCE> in your inputs.conf file. (There are some gotchas to doing this, so I wouldn't recommend trying it unless you suspect this is the case.)
2.) Have you check for any messages regarding this input in your _internal index? Use a search like: index=_internal sourcetype=splunkd ERROR OR WARN
How did you get the first file to load?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mystery solved - it was the fact that the splunk service was running under local user. changing it to a domain account (using the same username and password) made all the logs pile into the index. phew 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) the beginning and end characters are not the same for as long as 256 chars
2) searching through internal splunk errors revealed an access is denied error to that directory. i've checked all the permissions though and they're not protected. seems like that's where the issue is though. still remains strange that i was able to import one log from the same location just fine (that was also done through files and directories, but using upload a local file [even though i pointed it to a network location] as opposed to pointing to a path.
still a mystery
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
