Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is UF agent unable to send data for a csv file?

akgmail
Explorer
‎05-05-2022 02:06 AM

The csv files are getting forwarded from a linux UF agent to splunk as and when it is created ie. 2:50 CET time. For a file getting created at 2:50 CET time on the same uf agent is not reflecting  in the splunk.

The inputs.conf file of the app is not having any intervals configured.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

akgmail
Explorer
‎05-05-2022 09:45 AM

Pease find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-06-2022 05:24 AM

When I asked "Are the UFs internal logs being sent to the indexers?", I'm wondering if you can search for index=_internal host=<<forwarder name>> and see the forwarders logs.  If so, then connectivity is confirmed; otherwise, it is not.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AK_Splunk
Explorer
‎05-10-2022 03:29 AM

I am getting data for this query -->index=_internal host=forwardername* . This depicts that the connectivity is not an issue.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-10-2022 05:35 AM

Agreed.  So now we focus on the file(s) the UF is trying to read. If you run splunk list monitor on the UF, does it show the expected file(s)?  If not, then the monitor stanza is incorrect or the UF is not finding the stanza.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akgmail
Explorer
‎05-16-2022 07:15 AM

Hi @richgalloway 

 

Thanks for your response.

When I run the command ./splunk list monitor in my uf I am able to see the input i.e. I get the expected file path.

 

few steps that I tried from my end.

I appended the files at same location for AMER,APAC and Emea-non-ngdc, I can see the appended changes reflecting in the splunk sh but still not getting data from Emea-non-ngdc. 

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-05-2022 05:48 AM

We need more information.

What are the inputs.conf settings for the file? 

Does the UF have read access to the file?

Are the UFs internal logs being sent to the indexers?

Are there any error messages about the file in the logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

akgmail
Explorer
‎05-05-2022 09:49 AM

Please find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...