Splunk Enterprise

Why is UF agent unable to send data for a csv file?

akgmail
Engager

The csv files are getting forwarded from a linux UF agent to splunk as and when it is created ie. 2:50 CET time. For a file getting created at 2:50 CET time on the same uf agent is not reflecting  in the splunk.

The inputs.conf file of the app is not having any intervals configured.

Labels (1)
Tags (1)
0 Karma

akgmail
Engager

Pease find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When I asked "Are the UFs internal logs being sent to the indexers?", I'm wondering if you can search for index=_internal host=<<forwarder name>> and see the forwarders logs.  If so, then connectivity is confirmed; otherwise, it is not.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

AK_Splunk
Observer

I am getting data for this query -->index=_internal host=forwardername* . This depicts that the connectivity is not an issue.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Agreed.  So now we focus on the file(s) the UF is trying to read. If you run splunk list monitor on the UF, does it show the expected file(s)?  If not, then the monitor stanza is incorrect or the UF is not finding the stanza.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

akgmail
Engager

Hi @richgalloway 

 

Thanks for your response.

When I run the command ./splunk list monitor in my uf I am able to see the input i.e. I get the expected file path.

 

few steps that I tried from my end.

I appended the files at same location for AMER,APAC and Emea-non-ngdc, I can see the appended changes reflecting in the splunk sh but still not getting data from Emea-non-ngdc. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We need more information.

What are the inputs.conf settings for the file? 

Does the UF have read access to the file?

Are the UFs internal logs being sent to the indexers?

Are there any error messages about the file in the logs?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

akgmail
Engager

Please find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...