Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

universal forwarder not forwarding all the files to indexer

lakshman237
Path Finder
‎12-14-2012 02:35 PM

I had the stanza in inputs.conf in the universal forwarder as:
[monitor:///my/logs/project]
blacklist = .(gz)$
whitelist = (xyz_debug_ms[1-4]{1}.txt|app1_ms[1-4]{1}.txt|\
app2sos_ms[1-2]{1}.log|system_ms.log\
remoteserver.log)
sourcetype = mylogs
index = my index

After restart, the forwarder showed only a few files in "splunk list monitor" and only those files were sent to indexer for search. I then removed "\" and create two stanza, with same monitor:: line, with a few files in whitelist in the first stanza and the remaining in the second stanza.

After restart, the forwarder is not showing the files which it had shown earlier in the list monitor. how to ensure all the files can be monitored and send to indexer?

Tags (1)
0 Karma
Reply

itinney
Path Finder
‎12-14-2012 03:52 PM

Your blacklist should probably be:

blacklist = \.gz$

I believe your whitelist is missing a pipe symbol between the last two file specs, it should probably be:

whitelist = (xyz_debug_ms[1-4]{1}.txt|app1_ms[1-4]{1}.txt|app2sos_ms[1-2]{1}.log|system_ms.log|remoteserver.log)

When you say you then created two stanza, can you include them so we can see what they look like? You should not have overlapping monitor stanzas.

Reply

lakshman237
Path Finder
‎12-14-2012 03:56 PM

The pipe was missed when I posted the query, however it's present in my config spec. Any other possibilities?

Also, does splunk not allow to 2 or more stanza with the same monitor line, eg. monitor::/var/log monitor::/var/log with different files in the whitelist?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...