Hi,
I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:
[default]
host = name1
[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
[monitor://C:\Program Files (x86)\FileZilla Server\Logs\]
host = name1
index=FTP_logs_2
source="C:\Program Files (x86)\FileZilla Server\Logs\"
disabled = 0
whitelist=.log$
#ignoreOlderThan = 7d
#blacklist=C:\logs\onelog.log
The goal is to monitor FileZilla logs.
Index has been created on indexer.
When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.
Can anyone help me ?
Thanks,
By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.
However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data
Dave
By default Splunk will only search the main index. You can add extra default indexes to different roles from Settings > Access controls > Roles select the appropriate role, and in the section "Indexes searched by default" add the index FTP_logs_2.
However, the search manual states for efficient searches you should be more specific, adding indexes in this way will search through more data
Dave
Guys,
I noticed just one thing : my host name1 is still not on the host list in the Data summary. Any ideas ?
Thanks a lot
Is the index that your host is in set to be searched by default in Your user's role?
It was not, now it's ok !
Thanks again guys !
Indeed ! It works !
Thank you all !
What do you see when you search for host=name1
?
I see "No results found" 😞
If you search for index=_internal, do you see any events from the host? If not look at the logs on the forwarder, these will be in %SPLUNK_HOME%\var\log\splunk. Two useful ones to start with are the splunkd.log and the metrics.log.
Do you see errors in the splunkd.log?
Do you see any records in the metrics.log where group=per_index_thruput, series="FTP_logs_2"?
Dave
Actually, I do, with the filter "index=_internal host=name1".
I did not see errors in splunkd.log on the forwarder.
I see records like this one on metrics.log :
"07-07-2016 10:59:23.448 +0200 INFO Metrics - group=per_index_thruput, series="ftp_logs_2", kbps=1.134435, eps=1.290304, kb=35.167969, ev=40, avg_age=375332.150000, max_age=1073997"
OK, the mettrics.log events indicate that the file is being monitored. The search indicates that the forwarder is sending events to the indexer as expected.
If you enter the search
index=FTP_logs_2
do you see any events?
Dave
I do. It's the only way I founded to retrieve data from this input.
At this step, filter is "index=FTP_logs_2".
If I add "host=name1" in order to obtain "index=FTP_logs_2 host=name1" as a filter, I get the same results. But if I only add "host=name1", I do not obtain results. Don't know if this helps.
Thanks !
On the forwarder try running the command from the splunk folder bin/splunk list forward-server
Does it say that the connection between the forwarder and the Splunk server is active?
This forwarder is a Windows. How to check this on this OS please ? Thanks
From a cmd prompt, run
C:\Program Files\SplunkUniversalForwarder\bin\splunk list forward-server
Or also from cmd
change to drive C: if it isn't already.
cd into \Program Files\SplunkUniversalForwarder\bin
type splunk list forward-server
Are you the only user on your system? Is your role able to search that index?
You should also make sure to define the sourcetype that you're interested in in your inputs.conf stanza.
Lastly is there a reason for using the whitelist setting? Are there some logs in that directory you're not interested in?
I'm the only user and I'm with the default admin account.
I tried whitelist to troubleshoot but its not effective.