Re: issue with batch input that has stopped workin...

ebaileytu · ‎04-20-2021

We have a long standing batch input that has stopped working. No matter how i change the input including pointing the input directly at a singe file, nothing changes. Any way to get more information? Right now I have no information about why the files are not being ingested anymore. Can I change a logging config to get more info?

I have cleared the fishbucket with no changes. We are using the 7.3.3 UF.

I do notice more latency when i ls the file. Could the shared file system be too slow?

I am baffled so any ideas are more than welcome.

Thanks!

ebaileytu · ‎04-21-2021

i turned the debug logs on but that just confirmed Splunk is ignoring the files even though the paths are present in list monitor. Just opened a case. Thanks

venkatasri · ‎04-21-2021

Hi @ebaileytu

There could be several possibilities,

check _internal index, splunkd sourcetype for any errors
./splunk list monitor to find what files being monitored, make sure files having enough read permissions for splunk uf to read
Enable these debug flags if required - Community:Troubleshooting Monitor Inputs - Splunk Wiki

See file tail processor state command -

curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Docs - Troubleshoot the input process - Splunk Documentation

issue with batch input that has stopped working

inputs.conf

other

universal forwarder

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!