Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- LogFile Troubleshooting - read file issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
LogFile Troubleshooting - read file issue
I am working in a single node environment (indexer is also deployment-server)and I am having trouble determining why splunk will not index a log file of mine. I set up the configurations in the serverclass.conf and white-listed a new server "server12". This serverclass was already monitoring multiple other servers. The same log file "D:\Logfile\logs.csv" is being monitored on each of the servers and can be seen in the logs coming from all servers except for "server12". I also see other logs coming from "server12" but I do not see the "D:\Logfile\logs.csv" file.
'
My conclusions thus far:
Because I see logs coming from "server12" I know it is not a network/FW issue. And the permissions on the logfile are the same throughout each of the servers so Splunk has permission to read the file.
My question:
Is there a simple way to troubleshoot this or does anyone know if I am missing anything in my configurations?
Running splunk version : Splunk 6.0 (build 182037)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I see it.
Try this:
[monitor://D:\\Logfilelogs.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Splunkd and splunkweb were restarted along with a
"splunk reload deploy-server"
Serverclass:
[serverClass:SC-admin]
whitelist.0 = server1
whitelist.1 = server2
whitelist.2 = server3
whitelist.3 = server4
whitelist.4 = server5
whitelist.5 = server6
whitelist.6 = server7
whitelist.7 = server8
whitelist.8 = server9
whitelist.9 = server12
[serverClass:SC-admin:app:SC-loghistory-inputs]
$SPLUNK_HOME$/etc/deployment-apps/SC-loghistory-inputs/local/inputs.conf
[monitor://D:\Logfile\logs.csv]
index = loghistory
sourcetype = csv-2
disabled = false
crcSalt =
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you try restarting splunkd after the changes?
Can you post your serverclass.conf and also your inputs.conf where you have defined monitor stanzas
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
