Hi guys,
I am fairly new to splunk, and I am trying to get it to monitor a couple of log files on some app servers.
I have created the apps needed and also created an index. However, when I try to use the search function in Splunk Web and use that index, it is not pulling data.
This is my inputs.conf file:
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host1
[monitor:///tibco/apps/tra/domain/abc/application/logs/855EDI-855EDI.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host2
[monitor:///tibco/apps/tra/domain/abc/application/logs]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host3
[monitor:///tibco/apps/tra/domain/abc/application/logs/*.log]
sourcetype = tibco
index = tibco
#ignoreOlderThan = 7d
disabled = false
host = $host4
When I try:
./splunk list monitor
it tells me that these folders are being monitored
I also tried and changed the permissions.
Also when I give this search:
source="/tibco/apps/tra/domain/abc/application/logs/*"
it is actually pulling data, but not when I give index = tibco like it works for my other applications,
Thank you for you help,
Oliver
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf
are re-run. I assume the problem is that you forgot to specify index=tibco
the last time that you changed the configs so Splunk picked something on its own.
You need to bounce all Splunk instances on your forwarders so that the latest changes to inputs.conf
are re-run. I assume the problem is that you forgot to specify index=tibco
the last time that you changed the configs so Splunk picked something on its own.
I have a follow up question though and I am sure you can probably help me out again.
The indexer is indexing now data from only $host4, which is very odd since I don't even have any splunk or splunk apps installed on $host4, yet. Only on 1-3.
check out outputs.conf
files on all of your hosts and make sure that 1-3 are configured the same as 4.
Thank you, SIr.
I did that and it did help, the indexer is pulling data now.