modified inputs.conf in deployment server, pushed ...

chrisang · ‎10-06-2020

When tried to add extra path in splunk deployment client (Wildfly logs new):

# Wildfly logs
[monitor:///opt/applications/wildfly/standalone/log/server.log]
sourcetype = jboss_log
disabled = false
followTail = 0
index = newvt_prod
blacklist = .*\.(old|temp|gz|bz2|zip)$

# Wildfly logs new
[monitor:///opt/applications/wildfly/standalone-ext/log/server.log]
sourcetype = jboss_log
disabled = false
followTail = 0
index = newvt_prod
blacklist = .*\.(old|temp|gz|bz2|zip)$

and push it to forwarders, the index cannot retrieve any logs from the following path:
/opt/applications/wildfly/standalone-ext/log/server.log

only retrieves from the old path:

/opt/applications/wildfly/standalone/log/server.log

1. checked permissions, they are ok r-x for splunk user
2. checked path and is ok, no mispelling
3. checked index and is growing in size, is not disabled

cannot find any other issue.can someone help?

BR/

CAngel

richgalloway · ‎10-06-2020

Did you restart the forwarders after pushing the new inputs.conf?

---
If this reply helps you, Karma would be appreciated.

chrisang · ‎10-07-2020

Hi,

is it possible that the application is disabled so splunk cannot retrieve logs. The directory is there and log is there: "/opt/applications/wildfly/standalone-ext/log/server.log" but the application is not yet functional.
Is splunk checking if the log grow in size and if it not the splunk indexing stops?

br/
C.Angel

modified inputs.conf in deployment server, pushed to forwarders but splunk serachhead is not retrieving alarms

configuration

troubleshooting

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?