Universal forwarder is installed in linux server spwdfvml0247.
In this we have below folders exe,gen,global,profile,profile_back,src under the path spwdfvml0247:/usr/sap/IX4/SYS.
Index server is installed on windows server spwdfvm1490. All data under the path /usr/sap/IX4/SYS is being passed/indexed to the indexer except 'profile' folder. Even if we monitor specific file in 'profile' folder its not getting passed/indexed in the index server. In input activity also this is not showing. Below is the monitor we are using in inputs.conf from forwarder
spwdfvml0247:/opt/splunkforwarder/etc/apps/search/local # cat inputs.conf
[monitor:///usr/sap/IXV/SYS/profile]
disabled = false
index = erp
Please help and let me know why this monitor is not working and not getting indexed.
Thanks
Rajshekhar
I would recommend you try looking at the rest endpoint to see what the forwarder thinks is happening with the log, run it from $SPLUNK_HOME/bin/
'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus > somefile.out'
After that look at the output file, see what it says about the file/directory.
maybe the source and/or host is being transformed. Try searching with something like this:
'index=* some_unique_text_in_log'
Yes, we have used SOURCE in capital letters, below is the complete stanza
[monitor:///usr/sap/IXV/SYS/profile]
disabled = false
crcSalt =
And in Search field we are giving:
host= "spwdfvml0247" source= "/usr/sap/IXV/SYS/profile"
and searching over all time but still no events found.
Thanks
Raj.
Make sure that source is in caps. I can't tell from your response if this is the case or not. Also, I am not sure how you are searching, but I recommend removing all time constraints and searching over all time, in case you may have some timestamp issues obfuscating your search results. Perhaps these files being mentioned were already consumed.
We have 2 issues now.
1. We have added crcSalt =
This means that the file is being ignored because splunk has already recorded the same crcSalt for another file, and as such, we are ignoring the file because Splunk thinks it has already indexed the file. If you wanted, you could use crcSalt for this input:
crcSalt =
If set, this string is added to the CRC. Use this setting to force Splunk to consume files that have matching CRCs. If set to crcSalt = (note: This setting is case sensitive), then the full source path is added to the CRC.
For reference:
http://www.splunk.com/base/Documentation/latest/Admin/Monitorfilesanddirectories
Hello,
Yes, user is having full permission to access profile directory.
Best regards,
Kratika
does the user that splunk runs as have permissions to access the profile directory?