Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not receiving data from particular source

Harish2
Path Finder
‎01-28-2023 12:22 PM

Hi 
My sources:
1.  /app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC.log

2.  /app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC-show.log

3.  /app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC-ignored-sms.log

4.  /app/splunkser/ShiftMinJMC/ShiftMinJMC.log

5.  /app/splunkser/ShiftMinJMC/ShiftMinJMC-show.log

6.  /app/splunkser/ShiftMinJMC/ShiftMinJMC-ignored-sms.log

7.  /app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC.log

8.  /app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC-show.log

9.  /app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC-ignored-sms.log

I am receive the data from the above sources in SIT  and PROD environment but not receiving  logs from the below sources:

1.  /app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC.log

4.  /app/splunkser/ShiftMinJMC/ShiftMinJMC.log

7.  /app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC.log

Note: i am getting logs in SIT from all 9 sources but in production the mentioned 1, 4 and 7th sources are not showing up in Production env.

Inputs.conf

[monitor:///app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC-show-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC-ignored-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftMinJMC/ShiftMinJMC-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftMinJMC/ShiftMinJMC-show-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftMinJMC/ShiftMinJMC-ignored-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC-show-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>

[monitor:///app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC-ignored-*.log]
disabled=0
index=app-jmc-shift-sms
sourcetype=app:jmcshift:logs
blacklist=\.(?:tar|gz)$
crcSalt=<SOURCE>


Props.conf

[app:jmcshift:logs]
TIME_PREFIX=^
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N
MAX_TIMESTAMP_LOOKAHEAD=30
LINE_BREAKER=([\r\n]+)\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2}.\d{3}
SHOULD_LINEMERGE=false
TRUNCATE=99999

Sample logs:
From all 9 sources the events starts with date as shown below:
2023-01-12 23:24:50.245 [error]...........................................

Same inputs.cong and props.conf  in SIT and Production env.
Not sure what could be the issue.

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2023 05:00 PM

Have you checked the permissions on the missing sources to make sure Splunk has read access?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Harish2
Path Finder
‎01-28-2023 05:52 PM

Hi @richgalloway 
how can i check that, can u please tell me????

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-28-2023 07:42 PM

Sign on to the source server and run 

ls -ls /app/splunkser/ShiftNonMinJMC/ShiftNonMinJMC.log /app/splunkser/ShiftMinJMC/ShiftMinJMC.log /app/splunkser/ShiftBDRecordJMC/ShiftBDRecordJMC.log

This will tell you who owns the files and the groups which can access it.  Use the groups command to find out the groups to which the Splunk user belongs.  Contact your Linux admin for specific assistance.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Harish2
Path Finder
‎01-29-2023 06:24 AM

I checked there is no permission issue, i can see other files with the same permission.

But not able to see data from mentioned sources

 

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2023 08:57 AM

Here are a few other things to check.

Look in splunkd.log on the forwarders to see if there are messages about reading those sources.

If you use SELinux, have someone verify the settings allow Splunk to read the sources.  If you can sign in as the Splunk user and read the files then Splunk itself should be able to read them.

Verify the sources are going to the right indexes.

Verify the timestamps in the sources are being onboarded correctly.  Incorrect timestamps could make it hard to find data from the source.  Try searching with earliest=0 latest=+1y.

Double-check the SPL used to search for the sources.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...