Getting Data In

universal forwarder monitor not working

sushildabare
Path Finder

Universal forwarder is installed in linux server spwdfvml0247.
In this we have below folders exe,gen,global,profile,profile_back,src under the path spwdfvml0247:/usr/sap/IX4/SYS.

Index server is installed on windows server spwdfvm1490. All data under the path /usr/sap/IX4/SYS is being passed/indexed to the indexer except 'profile' folder. Even if we monitor specific file in 'profile' folder its not getting passed/indexed in the index server. In input activity also this is not showing. Below is the monitor we are using in inputs.conf from forwarder

spwdfvml0247:/opt/splunkforwarder/etc/apps/search/local # cat inputs.conf
[monitor:///usr/sap/IXV/SYS/profile]
disabled = false
index = erp

Please help and let me know why this monitor is not working and not getting indexed.
Thanks
Rajshekhar

Tags (1)
0 Karma

jbsplunk
Splunk Employee
Splunk Employee

I would recommend you try looking at the rest endpoint to see what the forwarder thinks is happening with the log, run it from $SPLUNK_HOME/bin/

'splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus > somefile.out'

After that look at the output file, see what it says about the file/directory.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

maybe the source and/or host is being transformed. Try searching with something like this:

'index=* some_unique_text_in_log'

0 Karma

sushildabare
Path Finder

Yes, we have used SOURCE in capital letters, below is the complete stanza
[monitor:///usr/sap/IXV/SYS/profile]
disabled = false
crcSalt =
index = erp

And in Search field we are giving:
host= "spwdfvml0247" source= "/usr/sap/IXV/SYS/profile"
and searching over all time but still no events found.

Thanks
Raj.

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

Make sure that source is in caps. I can't tell from your response if this is the case or not. Also, I am not sure how you are searching, but I recommend removing all time constraints and searching over all time, in case you may have some timestamp issues obfuscating your search results. Perhaps these files being mentioned were already consumed.

0 Karma

sushildabare
Path Finder

We have 2 issues now.
1. We have added crcSalt = parameter in monitor stanza, but after that its consuming files and showing the files in input activity but problem is when we do the search with this source it does not retrieve any events.
Please tell us how to overcome this issue.

  1. Also after adding crcSalt its comsuming all files(in input activity as said above in point 1) except one file DEFAULT.PFL and in somefile.out it shows same error for this file. ignored file (crc conflict, needs crcSalt)/s:key /s:dict /s:key etc etc What needs to be done to solve these problems?
0 Karma

jbsplunk
Splunk Employee
Splunk Employee

This means that the file is being ignored because splunk has already recorded the same crcSalt for another file, and as such, we are ignoring the file because Splunk thinks it has already indexed the file. If you wanted, you could use crcSalt for this input:

crcSalt =

If set, this string is added to the CRC. Use this setting to force Splunk to consume files that have matching CRCs. If set to crcSalt = (note: This setting is case sensitive), then the full source path is added to the CRC.

For reference:

http://www.splunk.com/base/Documentation/latest/Admin/Monitorfilesanddirectories

0 Karma

sushildabare
Path Finder

Hello,

I get below error while using the command provided by you.




directory/s:key
/s:dict
/s:key


/usr/sap/IX4/SYS/profile/s:key
ignored file (crc conflict, needs crcSalt)/s:key
/s:dict
/s:key


what does this mean and what needs to be done to rectify the problem?

0 Karma

sushildabare
Path Finder

Hello,

Yes, user is having full permission to access profile directory.

Best regards,
Kratika

0 Karma

Drainy
Champion

does the user that splunk runs as have permissions to access the profile directory?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...