Getting Data In

problem of monitoring windows files

Explorer

Now I want to monitor eee.txt. The file path is "C:\Program Files\new_folder(86)\eee.txt" and configure the input step by step through data-add wizard successfully, but cannot search anything from the specified index. Maybe Parentheses " (", " )" is the junk reason.
Who can tell me how to solve the problem? TKS

0 Karma

Esteemed Legend

Just because you are using an index called ts does not mean that it actually exists; did you create a ts index (with indexes.conf)? If not, switch to using index main as a test (because that always exists). In any case, there should be errors in the logs so do a search like this to see what you find:

index=_* (host=SeverIP OR host=ServerName) (err* OR warn* OR fail*) 
0 Karma

Communicator

Hi akdake,

Can you provide two things:

1) Configuration for your data-input.

The easiest way is to take a look at the underlying inputs.conf which I guess is will be located in
$SPLUNK_HOME$/etc/apps/serach/local/inputs.conf

If you clicked through the wizard is most likely the app "search" your configuration is added.

2) The Splunk search you expect to find the data. Most likely just index=foo.

There are just too many things to cover without additional information since going through the wizard should work fine. F.e. read-permission on the file, etc.... but first things first.

Greetings

0 Karma

Explorer

Hi, hgrow,

1) the configuration of inputs.conf :

[monitor://C:\Program Files\new_folder(86)\tslog.txt]
disabled = false
index = ts
sourcetype = ts

2) the search :

source="C:\\Program Files\\new_folder(86)\\tslog.txt" index="ts" sourcetype="ts"

pls. advise me more , tks

0 Karma

Communicator

Hi,

your input and search looking correct. Steps from here ...

1) is your file path correct?

2) are there any problems splunk reports. look at index=_internal sourcetype=splunkd "tslog.txt" and check for any erros.

F.e. the following example shows from the bottom to the top, that the tailingprocessor following the file and licenseusage reports that data are getting indexed.

02-10-2017 11:13:58.549 +0100 INFO  LicenseUsage - type=Usage s="C:\\windows_log_test\\folder(123)\\test.log" st=tmp h="asdf" o="" idx="tmp" i="0E508918-B08F-4E61-97AD-BC9C4B6D706D" pool="auto_generated_pool_enterprise" b=9 poolsz=53687091200

02-10-2017 11:12:26.733 +0100 INFO  TailingProcessor - Adding watch on path: C:\windows_log_test\folder(123)\test.log.

02-10-2017 11:12:26.733 +0100 INFO  TailingProcessor - Parsing configuration stanza: monitor://C:\windows_log_test\folder(123)\test.log.

Anything else would be noticable.

3) You can check if there is data in your index at all (if no other data is expected in the index): Settings -> indexes -> current size/event count

Edit: some additional things you can try

4) alter your splunk spl, f.e. only search for index=ts OR index=* sourcetype="ts"

5) check the state of your input: | rest splunk_server=local /services/admin/inputstatus/TailingProcessor:FileStatus | transpose | search column=*tslog*

Reference for 5) http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

6) While adding the log with the wizard at some point you got a preview of your data, correct? If so are the timestamp correct? if - for some reason - the events get indexed in splunk with a timestamp in the future your search wont find these logs or they wont get indexed at all.
Maybe something will show us, whats going on.

0 Karma