I recently wrote a new deployment app to monitor IIS log files. The app looks like it was deployed to the test server since I can see the app in the SplunkUniversalForwarder\etc\apps directory on the windows server.
For some reason, I am not getting any data back from the log files I am trying to monitor.
Here is a copy of the inputs.conf file for the deployed app:
#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
There are currently around 150 files (one per day) in the "d:\LogFiles\IISLogFiles\W3SVC1" directory I am trying to monitor.
Thanks,
 
					
				
		
I noticed in your question you actually had the config as [monitor://D:\LogFiles\IISLogFiles\*\*.log], but since you didn't post this in code tags, some of the backslashes disappeared. I edited your question, to put the config in code tags, such that this is more clear.
So in that case it is back to good old fashioned troubleshooting. Any errors in splunkd.log? Does splunk initiate a watch on that folder? Can you confirm the permissions are set correctly?
Also have a look at: http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Cantfinddata
It looks like the website changes some of the code I posted because I forgot to mark it as Code Sample when I coppied it to my post.
Here is what is in my inputs.conf file:
#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
 
					
				
		
I had already fixed that for you in your original question post by putting it in code tags, but thanks for confirming. See my answer below for some troubleshooting pointers 🙂
It looks like the website automatically changed some of my code in the previous post.
Going to try posing this again, but I will mark it as code sample so it doesn't get changed..
Here is what is in my inputs.conf file:
#
# IIS Logging
#
[monitor://D:\LogFiles\IISLogFiles\*\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
 
					
				
		
I noticed in your question you actually had the config as [monitor://D:\LogFiles\IISLogFiles\*\*.log], but since you didn't post this in code tags, some of the backslashes disappeared. I edited your question, to put the config in code tags, such that this is more clear.
So in that case it is back to good old fashioned troubleshooting. Any errors in splunkd.log? Does splunk initiate a watch on that folder? Can you confirm the permissions are set correctly?
Also have a look at: http://docs.splunk.com/Documentation/Splunk/7.0.3/Troubleshooting/Cantfinddata
I think I might have found the issue.
I reviewed the logs on one of the servers that I deployed this app to, but I didn't see any issues. I did see in the logs that the app deployed successfully. Then as part of my troubleshooting I restarted the SplunkFowarder service on one of the windows servers so I could get some clean log files. As soon as I restarted the service, I started getting the data into the indexers.
I never had to manually restart the service before after deploying new apps. Is there something I need to do differently when deploying file monitoring apps? For example, it there a setting I need to put into the deployment app so it automatically restarts the service when the app gets deployed? Once i'm done testing, I am planning to deploy this app to around 200 servers, and I would hate to have to manually restart the SplunkForwared service on all these servers.
Thanks,
 
					
				
		
Triggering a restart upon app deployment is something you configure in the serverclass.conf (set restartSplunkd = true). Or through the Deployment Server GUI: http://docs.splunk.com/Documentation/Splunk/latest/Updating/Useforwardermanagementtomanageapps
 
					
				
		
looks like your monitor stanza does not reflect the exact location where files are at
location: d:\LogFiles\IISLogFiles\W3SVC1
monitor: //D:\LogFiles\IISLogFiles**.log
modify your monitor stanza to match the exact location: (also make sure it matches the file naming convention)
inputs.conf: [monitor://D:\LogFiles\IISLogFiles\W3SVC1\*.log]
disabled = false
followtail = 0
sourcetype=iis
ignoreOlderThan = 180d
index=iislogs
time_before_close = 15
multiline_event_extra_waittime = true
hope it helps
