The csv files are getting forwarded from a linux UF agent to splunk as and when it is created ie. 2:50 CET time. For a file getting created at 2:50 CET time on the same uf agent is not reflecting in the splunk.
The inputs.conf file of the app is not having any intervals configured.
Pease find the details requested by you.
Inputs.conf
[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test
permissions for this file
-rw-r--r-- 1 nobody nobody 1388 May 1 20:50
no error in splunkd.log wrt to this application.
Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?
When I asked "Are the UFs internal logs being sent to the indexers?", I'm wondering if you can search for index=_internal host=<<forwarder name>> and see the forwarders logs. If so, then connectivity is confirmed; otherwise, it is not.
I am getting data for this query -->index=_internal host=forwardername* . This depicts that the connectivity is not an issue.
Agreed. So now we focus on the file(s) the UF is trying to read. If you run splunk list monitor on the UF, does it show the expected file(s)? If not, then the monitor stanza is incorrect or the UF is not finding the stanza.
Thanks for your response.
When I run the command ./splunk list monitor in my uf I am able to see the input i.e. I get the expected file path.
few steps that I tried from my end.
I appended the files at same location for AMER,APAC and Emea-non-ngdc, I can see the appended changes reflecting in the splunk sh but still not getting data from Emea-non-ngdc.
We need more information.
What are the inputs.conf settings for the file?
Does the UF have read access to the file?
Are the UFs internal logs being sent to the indexers?
Are there any error messages about the file in the logs?
Please find the details requested by you.
Inputs.conf
[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test
permissions for this file
-rw-r--r-- 1 nobody nobody 1388 May 1 20:50
no error in splunkd.log wrt to this application.
Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?