Splunk Search

Monitoring several log files with a specified index, why are searches on the index in Splunk Web not returning any data?

omuelle1
Communicator

Hi guys,

I am fairly new to splunk, and I am trying to get it to monitor a couple of log files on some app servers.

I have created the apps needed and also created an index. However, when I try to use the search function in Splunk Web and use that index, it is not pulling data.

This is my inputs.conf file:

[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host1

[monitor:///tibco/apps/tra/domain/abc/application/logs/855EDI-855EDI.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host2

[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host3

[monitor:///tibco/apps/tra/domain/abc/application/logs/*.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host4

When I try:

./splunk list monitor it tells me that these folders are being monitored

I also tried and changed the permissions.

Also when I give this search:

source="/tibco/apps/tra/domain/abc/application/logs/*"

it is actually pulling data, but not when I give index = tibco like it works for my other applications,

Thank you for you help,

Oliver

Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.

View solution in original post

woodcock
Esteemed Legend

You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf are re-run. I assume the problem is that you forgot to specify index=tibco the last time that you changed the configs so Splunk picked something on its own.

omuelle1
Communicator

I have a follow up question though and I am sure you can probably help me out again.

The indexer is indexing now data from only $host4, which is very odd since I don't even have any splunk or splunk apps installed on $host4, yet. Only on 1-3.

0 Karma

woodcock
Esteemed Legend

check out outputs.conf files on all of your hosts and make sure that 1-3 are configured the same as 4.

0 Karma

omuelle1
Communicator

Thank you, SIr.

I did that and it did help, the indexer is pulling data now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...