- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Not Receiving data from particular source
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I not receiving data from particular source?
Hi, I have 4 sources from one sourcetype . so i am getting data from 3 sources but not from other 1 source.
Logs are present , but not showing up in splunk.
checked inputs.conf everything is--same configuration for all 4 sources.
crccsalt=source is also there in inputs.config.
restarted the servers, but still not able to see the data
Can you please tell me anything i am missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Vani_26 ... we may need some more details please..
1. Approx when all these 4 logs are added to splunk? (recently or long back?)
2. Any recent changes in Splunk environment? are you using HF?
3. Are these 4 logs are same type? i mean, simple file monitoring or what these 4 sources pls
4. on the internal logs, do you see any errors, warnings pls.
5. these 4 logs are there locally on Splunk system or you have UF reading these logs and then sending them to indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Approx when all these 4 logs are added to splunk? (recently or long back?)
From 3 sources logs are recent, but from other 1 source there are logs on july1st after that no logs and again i see logs on 29th july.
2. Any recent changes in Splunk environment? are you using HF?
no changes in recent logs and i am not using HF.
3. Are these 4 logs are same type? i mean, simple file monitoring or what these 4 sources pls
All the 4 sources logs are of below format
eg: 2022-07-29 12:00:31,630 hgdshgdjsjsnk........................
and my inputs.conf is
[monitior: ///abc/adcd/logs/adc-adc-adc-as-ATV/*.log]
index=abc
sourcetype=abcd
crscSalt=<Source>
intCrcLength=1024
no_binary_check=true
disabled=0
followtail=1
4. on the internal logs, do you see any errors, warnings pls.
No error or warnings in internal logs.
5. these 4 logs are there locally on Splunk system or you have UF reading these logs and then sending them to indexer?
these all 4 sources are from UF and then sending them to indexer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Vani_26
From inputs.conf docs regrading "followTail"
* If you set to "1", monitoring starts at the end of the file (like *nix 'tail -f'). The input does not read any data that exists in the file when it is first encountered. The input only reads data that arrives after the first encounter time.
So it could be that if you create a file there then none of the initial data will be indexed. The docs also don't recommend having followTail set to 1. I think best practice would be to create a new file each time there is new data to be written to Splunk.
Thanks,
Jamie
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @jamie00171 ,
what you said is correct about the follow tail=1, when i removed it, i can see the source which was missing before.
It really helped me a lot, thank you.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
