Everytime I think I have Splunk figured out - I don't.
Logs stopped forwarding from my server to a specific index. I can see that logs are still forwarding probably to the default group but as you can see from my inputs.conf file it SHOULD be going to jim_test. I can confirm this is in the system/local so the precedence should be ok. Most of what I'm seeing in splunkd.log on the forwarder are successful calls "home".
[default]
host = ctl-ansible0104
queueSize = 10MB
sslVersions = tls
[monitor:///var/log/messages]
disabled = false
index = jim_test
sourcetype = linux_messages_syslog
Not sure what other things I should be troubleshooting.
after adding /var/log/messages, did you restart the Splunk on UF?
the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?
after adding /var/log/messages, did you restart the Splunk on UF?
the /var/log/messages file gets forwarded to wrong index or not getting forwarding at all?
are other log files are getting to splunk indexer properly?
Of course now it's working. Maybe I had my search syntax wrong 😞
I'm going to accept your answer since you took the time to reply to me.