Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Log file not being forwarded / indexed anymore?

nathanlhopkins
Path Finder
‎05-15-2013 03:59 PM

As someone new to Splunk would appreciate some guidance - whilst I had some success in that an inputs and outputs have been configured and I can now search data in the GUI - it appears data has stopped being forwarded / consumed, the last event is Wed May 15 13:58:52 2013

However I can see the log files are still being updated and the data is constantly being added too.

Is my configuration in inputs wrong?

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

[monitor:///crd/ua1/mtusr11/91/serverapps/logs]
whitelist = cr_server.html$
disabled = false
crcSalt =
index = crd_index

Extract from splunkd on forwarder;

05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Parsing configuration stanza: monitor:///crd/ua1/mtusr11/91/serverapps/logs.
05-15-2013 23:22:16.465 +0100 INFO TailingProcessor - Adding watch on path: /crd/ua1/mtsys10/91/serverapps/logs.

Appreciate any help or guidance on things to check?

Tags (2)
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-18-2013 03:37 PM

A found this was due to a lack of understanding of the front end GUI - the data was being consumed as required.

0 Karma
Reply

Ayn
Legend
‎05-16-2013 05:52 AM

amrit's script for checking input statuses could definitely help you out here: http://blogs.splunk.com/2011/01/02/did-i-miss-christmas-2/

0 Karma
Reply

kml_uvce
Builder
‎05-15-2013 08:56 PM

can you try like this below and change whitelist...

[monitor:///crd/ua1/mtusr10/91/serverapps/logs]
whitelist = cr_server\.html$
disabled = false
crcSalt =
index = crd_index

-Kamal Bisht

kamal singh bisht
0 Karma
Reply

kml_uvce
Builder
‎05-16-2013 06:55 AM

can you send me splunkd logs from indexer side.

kamal singh bisht
0 Karma
Reply

nathanlhopkins
Path Finder
‎05-16-2013 05:04 AM

Many thanks, I've checked and those \'s are already there (paste issue)

Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...