Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Log file not being forwarded / indexed anymore?

nathanlhopkins
Path Finder
‎05-15-2013 03:59 PM

As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013

However I can see the log files are still being updated and the data is constantly being added too.

Is my configuration in inputs wrong?

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

Extract from splunkd on forwarder;

05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs.
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.

Appreciate any help or guidance on things to check?

Tags (2)
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-18-2013 03:37 PM

A found this was due to a lack of understanding of the front end GUI - the data was being consumed as required.

0 Karma
Reply

Ayn
Legend
‎05-16-2013 05:52 AM

amrit's script for checking input statuses could definitely help you out here: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Reply

kml_uvce
Builder
‎05-15-2013 08:56 PM

can you try like this below and change whitelist...

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server\.html$
disabled = false
crcSalt =
index = crd_index

-Kamal Bisht

kamal singh bisht
0 Karma
Reply

kml_uvce
Builder
‎05-16-2013 06:55 AM

can you send me splunkd logs from indexer side.

kamal singh bisht
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-16-2013 05:04 AM

Many thanks, I've checked and those \'s are already there (paste issue)

Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...