I'm evaluating Splunk for the first time. I installed a forwarder on a Windows server and I configured the inputs.conf (/etc/system/local) like this:
[default] host = name1 [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0 [monitor://C:\Program Files (x86)\FileZilla Server\Logs\] host = name1 index=FTP_logs_2 source="C:\Program Files (x86)\FileZilla Server\Logs\" disabled = 0 whitelist=.log$ #ignoreOlderThan = 7d #blacklist=C:\logs\onelog.log
The goal is to monitor FileZilla logs.
Index has been created on indexer.
When I'm trying to search data by typing name1 on the Splunk search bar, I get no data. name1 is also not on the host tab in Data Summary button. I need first to search the index in order to see data and search with a random word for finding what I want.
Can anyone help me ?
Are you the only user on your system? Is your role able to search that index?
You should also make sure to define the sourcetype that you're interested in in your inputs.conf stanza.
Lastly is there a reason for using the whitelist setting? Are there some logs in that directory you're not interested in?
I'm the only user and I'm with the default admin account.
I tried whitelist to troubleshoot but its not effective.
On the forwarder try running the command from the splunk folder bin/splunk list forward-server
Does it say that the connection between the forwarder and the Splunk server is active?
This forwarder is a Windows. How to check this on this OS please ? Thanks
From a cmd prompt, run
C:\Program Files\SplunkUniversalForwarder\bin\splunk list forward-server
Or also from cmd
change to drive C: if it isn't already.
splunk list forward-server
What do you see when you search for
If you search for index=internal, do you see any events from the host? If not look at the logs on the forwarder, these will be in %SPLUNKHOME%\var\log\splunk. Two useful ones to start with are the splunkd.log and the metrics.log.
Do you see errors in the splunkd.log?
Do you see any records in the metrics.log where group=perindexthruput, series="FTPlogs2"?
Actually, I do, with the filter "index=_internal host=name1".
I did not see errors in splunkd.log on the forwarder.
I see records like this one on metrics.log :
"07-07-2016 10:59:23.448 +0200 INFO Metrics - group=perindexthruput, series="ftplogs2", kbps=1.134435, eps=1.290304, kb=35.167969, ev=40, avgage=375332.150000, maxage=1073997"