Splunk Enterprise

Why is UF agent unable to send data for a csv file?

akgmail
Engager

The csv files are getting forwarded from a linux UF agent to splunk as and when it is created ie. 2:50 CET time. For a file getting created at 2:50 CET time on the same uf agent is not reflecting  in the splunk.

The inputs.conf file of the app is not having any intervals configured.

Labels (1)
Tags (1)
0 Karma

akgmail
Engager

Pease find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

When I asked "Are the UFs internal logs being sent to the indexers?", I'm wondering if you can search for index=_internal host=<<forwarder name>> and see the forwarders logs.  If so, then connectivity is confirmed; otherwise, it is not.

---
If this reply helps you, Karma would be appreciated.
0 Karma

AK_Splunk
Explorer

I am getting data for this query -->index=_internal host=forwardername* . This depicts that the connectivity is not an issue.

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Agreed.  So now we focus on the file(s) the UF is trying to read. If you run splunk list monitor on the UF, does it show the expected file(s)?  If not, then the monitor stanza is incorrect or the UF is not finding the stanza.

---
If this reply helps you, Karma would be appreciated.
0 Karma

akgmail
Engager

Hi @richgalloway 

 

Thanks for your response.

When I run the command ./splunk list monitor in my uf I am able to see the input i.e. I get the expected file path.

 

few steps that I tried from my end.

I appended the files at same location for AMER,APAC and Emea-non-ngdc, I can see the appended changes reflecting in the splunk sh but still not getting data from Emea-non-ngdc. 

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

We need more information.

What are the inputs.conf settings for the file? 

Does the UF have read access to the file?

Are the UFs internal logs being sent to the indexers?

Are there any error messages about the file in the logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma

akgmail
Engager

Please find the details requested by you.

Inputs.conf

 

[monitor:///directoryname/region_202*]
disabled = 0
index = custom_normal
sourcetype = custom_test

 

permissions for this file 

-rw-r--r-- 1 nobody nobody 1388 May 1 20:50

no error in splunkd.log wrt to this application.

Can you elaborate a little more wrt to ->Are the UFs internal logs being sent to the indexers?

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...