- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Monitoring a text file Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Monitoring a text file Issue
I am trying to extract some information from a text file. This is how my inputs.conf looks like,
[monitor://C:\Temp\ServerInfo_Tag.txt]
sourcetype = ABC
index = filelog
crcSalt =
I pushed this config across 4000 windows servers. Ideally Splunk should pickup the file content as soon as the config is pushed.
But strange thing here is, I can see the file content as an event on Splunk for ONLY 3000 servers.
For the other 1000 servers I have to modify the file to get the file content on Splunk.
Is there a way to get the file content without modifying the file?
Config doesn't seem to be an issue here as it it working for other servers and there are no port related issues on the other 1000 servers as I can see the data on Splunk after modifying the file.
Any suggestions here are highly appreciated.
Thanks,
Channesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would check splunkd.log (index=_internal sourcetype=splunkd host=yourWinServer) for errors for the file. Are you restarting splunk on your windows servers after pushing the configurations (handled by restartSplunkd attribute on serverclass.conf)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 Log has this information which is hard to understand.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\CWXTI\ServerInfo_Tag.txt.
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Adding watch on path: C:\CWXTI\ServerInfo_Tag.txt.
Yes, servers are being restarted after pushing the configurations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 I could these logs related to the file I am monitoring.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\CWXTI\ServerInfo_Tag.txt.
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Parsing configuration stanza: monitor://C:\Program Files\CernerESM\sentinel\sentinel.config.
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailReader - State transitioning from 1 to 0 (initOrResume).
03-12-2019 11:21:56.938 -0400 INFO TailingProcessor - Adding watch on path: C:\CWXTI\ServerInfo_Tag.txt.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[monitor://C:\CWXTI\ServerInfo_Tag.txt]
crcSalt =
sourcetype = SENT
index = wineventlog
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
