Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Log file not being forwarded / indexed anymore?

nathanlhopkins
Path Finder
‎05-15-2013 03:59 PM

As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013

However I can see the log files are still being updated and the data is constantly being added too.

Is my configuration in inputs wrong?

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

Extract from splunkd on forwarder;

05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs.
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.

Appreciate any help or guidance on things to check?

Tags (2)
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-18-2013 03:37 PM

A found this was due to a lack of understanding of the front end GUI - the data was being consumed as required.

0 Karma
Reply

Ayn
Legend
‎05-16-2013 05:52 AM

amrit's script for checking input statuses could definitely help you out here: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Reply

kml_uvce
Builder
‎05-15-2013 08:56 PM

can you try like this below and change whitelist...

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server\.html$
disabled = false
crcSalt =
index = crd_index

-Kamal Bisht

kamal singh bisht
0 Karma
Reply

kml_uvce
Builder
‎05-16-2013 06:55 AM

can you send me splunkd logs from indexer side.

kamal singh bisht
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-16-2013 05:04 AM

Many thanks, I've checked and those \'s are already there (paste issue)

Any other suggestions?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...