Solved: I've configured inputs.conf for a Splunk forwarder...

kemmlli · ‎06-14-2016

Hi,

I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:

[default]
host = name1

[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0

[monitor://C:\Program Files (x86)\FileZilla Server\Logs\]
host = name1
index=FTP_logs_2
source="C:\Program Files (x86)\FileZilla Server\Logs\"
disabled = 0
whitelist=.log$
#ignoreOlderThan = 7d
#blacklist=C:\logs\onelog.log

The goal is to monitor FileZilla logs.
Index has been created on indexer.

When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.

Can anyone help me ?
Thanks,

davebrooking · ‎07-07-2016

By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.

However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data

Dave

View solution in original post

davebrooking · ‎07-07-2016

By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.

However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data

Dave

kemmlli · ‎07-08-2016

Guys,

I noticed just one thing : my host name1 is still not on the host list in the Data summary. Any ideas ?

Thanks a lot

ryanoconnor · ‎07-08-2016

Is the index that your host is in set to be searched by default in Your user's role?

kemmlli · ‎07-11-2016

It was not, now it's ok !

Thanks again guys !

kemmlli · ‎07-07-2016

Indeed ! It works !

Thank you all !

ddrillic · ‎06-14-2016

What do you see when you search for host=name1?

kemmlli · ‎07-07-2016

I see "No results found" 😞

davebrooking · ‎07-07-2016

If you search for index=_internal, do you see any events from the host? If not look at the logs on the forwarder, these will be in %SPLUNK_HOME%\var\log\splunk. Two useful ones to start with are the splunkd.log and the metrics.log.

Do you see errors in the splunkd.log?

Do you see any records in the metrics.log where group=per_index_thruput, series="FTP_logs_2"?

Dave

kemmlli · ‎07-07-2016

Actually, I do, with the filter "index=_internal host=name1".

I did not see errors in splunkd.log on the forwarder.

I see records like this one on metrics.log :
"07-07-2016 10:59:23.448 +0200 INFO Metrics - group=per_index_thruput, series="ftp_logs_2", kbps=1.134435, eps=1.290304, kb=35.167969, ev=40, avg_age=375332.150000, max_age=1073997"

davebrooking · ‎07-07-2016

OK, the mettrics.log events indicate that the file is being monitored. The search indicates that the forwarder is sending events to the indexer as expected.

If you enter the search

index=FTP_logs_2

do you see any events?

Dave

kemmlli · ‎07-07-2016

I do. It's the only way I founded to retrieve data from this input.
At this step, filter is "index=FTP_logs_2".

If I add "host=name1" in order to obtain "index=FTP_logs_2 host=name1" as a filter, I get the same results. But if I only add "host=name1", I do not obtain results. Don't know if this helps.

Thanks !

craigv_splunk · ‎06-14-2016

On the forwarder try running the command from the splunk folder bin/splunk list forward-server
Does it say that the connection between the forwarder and the Splunk server is active?

kemmlli · ‎07-07-2016

This forwarder is a Windows. How to check this on this OS please ? Thanks

Richfez · ‎07-07-2016

From a cmd prompt, run

C:\Program Files\SplunkUniversalForwarder\bin\splunk list forward-server

Or also from cmd
change to drive C: if it isn't already.
cd into \Program Files\SplunkUniversalForwarder\bin
type splunk list forward-server

ryanoconnor · ‎06-14-2016

Are you the only user on your system? Is your role able to search that index?

You should also make sure to define the sourcetype that you're interested in in your inputs.conf stanza.

Lastly is there a reason for using the whitelist setting? Are there some logs in that directory you're not interested in?

kemmlli · ‎07-07-2016

I'm the only user and I'm with the default admin account.

I tried whitelist to troubleshoot but its not effective.

I've configured inputs.conf for a Splunk forwarder on Windows, but why do I get no data searching for that host?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...