Getting Data In

datainput issue

Explorer

We used free enterprise splunk. we import logs into splunk.

Some log files data won't show in splunk

I want to make sure I did right to set up the import.
1) settings --Data --data input -- Files and directories --new --enter file location
The log files are organized into a folder by day and month.
1) do I need to disable the previous month for datainput working.

See the examples: Is my settings are correct?

 C:\logs\2014\201410   Constant Value     Session     default                search       Disabled | Enable  Clone  | Delete  
 C:\logs\2014\201411   Constant Value     Session     default                 search       Disabled | Enable  Clone  | Delete  
 C:\logs\2014\201412   Constant Value    Session      default  57483     launcher   Enabled | Disable  Clone 
Tags (2)
0 Karma

Path Finder

Hi,
Have you add your data file by file or the folder one time?
because you have in your example 3 lines and see the sixth column, app name is different (search and launcher)

 C:\logs\2014\201410   Constant Value     Session     default                search       Disabled | Enable  Clone  | Delete  
  C:\logs\2014\201411   Constant Value     Session     default                 search       Disabled | Enable  Clone  | Delete  
  C:\logs\2014\201412   Constant Value    Session      default  57483     launcher   Enabled | Disable  Clone 

I think you should have one line

 C:\logs   Constant Value    Session      default  57483     search   Enabled | Disable  Clone 

So when you enter the path name be sure to enter the whole folder. Perhaps is this the problem.

Splunk Employee
Splunk Employee

Explorer

Well, the cap one is accidently.
If so, you cannot make it accepted? A

0 Karma

Splunk Employee
Splunk Employee

And if you accidentally used all capital letters, you can edit your posting to fix it.

0 Karma

Splunk Employee
Splunk Employee

please stop using the Answer field to comment. if you have further information about your issue, provide it in your question above.

0 Karma

Explorer

i PREFER TO GET AN ANSWER INSTEAD SENDING A LINK. i HAVE THAT LINK BUT NOT EVERYTHING NEED TO KNOW IN THE LINK.

0 Karma

Splunk Employee
Splunk Employee

CAPS LOCK ISN'T CRUISE CONTROL FOR COOL.

But, the link is the same as the answer, it provides information.

There is no 100% guarantee that any answers here will solve your problem. This is a free community support answers board after all. You want 100% accurate answers, you will need to pay for support.

That being said, the answers provided are the correct ones.

Explorer

Thank you for your reply but I am new to splunk. I would like to know that will resolve my issue?

I manually set up or disable monthly data input

0 Karma

SplunkTrust
SplunkTrust

If you have access to the server, update the inputs.conf like this to have single monitoring stanza for all the folders/subfolders

[monitor://C:\logs\(\d{4})\(\d{6}\*]
disabled = false
followTail = 0
sourcetype = Session
index = main