Re: datainput issue

ginger8990 · ‎12-15-2014

We used free enterprise splunk. we import logs into splunk.

Some log files data won't show in splunk

I want to make sure I did right to set up the import.
1) settings --Data --data input -- Files and directories --new --enter file location
The log files are organized into a folder by day and month.
1) do I need to disable the previous month for datainput working.

See the examples: Is my settings are correct?

 C:\logs\2014\201410   Constant Value     Session     default                search       Disabled | Enable  Clone  | Delete  
 C:\logs\2014\201411   Constant Value     Session     default                 search       Disabled | Enable  Clone  | Delete  
 C:\logs\2014\201412   Constant Value    Session      default  57483     launcher   Enabled | Disable  Clone

btt · ‎12-17-2014

Hi,
Have you add your data file by file or the folder one time?
because you have in your example 3 lines and see the sixth column, app name is different (search and launcher)

 C:\logs\2014\201410   Constant Value     Session     default                search       Disabled | Enable  Clone  | Delete  
  C:\logs\2014\201411   Constant Value     Session     default                 search       Disabled | Enable  Clone  | Delete  
  C:\logs\2014\201412   Constant Value    Session      default  57483     launcher   Enabled | Disable  Clone

I think you should have one line

 C:\logs   Constant Value    Session      default  57483     search   Enabled | Disable  Clone

So when you enter the path name be sure to enter the whole folder. Perhaps is this the problem.

piebob · ‎12-15-2014

here are some suggestions for further reading:

http://docs.splunk.com/Documentation/Splunk/6.2.0/Troubleshooting/Cantfinddata

ginger8990 · ‎12-16-2014

Well, the cap one is accidently.
If so, you cannot make it accepted? A

ChrisG · ‎12-16-2014

And if you accidentally used all capital letters, you can edit your posting to fix it.

piebob · ‎12-16-2014

please stop using the Answer field to comment. if you have further information about your issue, provide it in your question above.

ginger8990 · ‎12-16-2014

i PREFER TO GET AN ANSWER INSTEAD SENDING A LINK. i HAVE THAT LINK BUT NOT EVERYTHING NEED TO KNOW IN THE LINK.

bosburn_splunk · ‎12-16-2014

CAPS LOCK ISN'T CRUISE CONTROL FOR COOL.

But, the link is the same as the answer, it provides information.

There is no 100% guarantee that any answers here will solve your problem. This is a free community support answers board after all. You want 100% accurate answers, you will need to pay for support.

That being said, the answers provided are the correct ones.

ginger8990 · ‎12-15-2014

Thank you for your reply but I am new to splunk. I would like to know that will resolve my issue?

I manually set up or disable monthly data input

somesoni2 · ‎12-15-2014

If you have access to the server, update the inputs.conf like this to have single monitoring stanza for all the folders/subfolders

[monitor://C:\logs\(\d{4})\(\d{6}\*]
disabled = false
followTail = 0
sourcetype = Session
index = main

datainput issue

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms