I created 8 data inputs, each one is supposed to tail log files mathing a certain whitelist regex.
These inputs see the files (my preview worked and i see the # of files in the data inputs page.
The Application im using for the inputs is SEARCH.
When I go to the SEARCH app, I type a word I KNOW is in the logs, and I get nothing.
I type * and I get nothing.
I'm clearly missing something basic.
This wasn't this hard when i did this a few years ago.
I learn something new everyday!
Thanks gkanapathy, I owe you a beer!
Ok, after trying to figure out why the wildcard "" wouldn't work in your inputs.conf, it was determined that it can't be used in the Splunk data preview or the stanza in inputs.conf.
EX:[monitor:///Users/username/Desktop/tmp/`debug-.txt`] Although the docs say differently. I tried and I got the same result.
With that said, I had to create these configurations to get it to work:
inputs.conf
[monitor:///Users/username/Desktop/tmp] <---location of debug.txt and log.txt logs
whitelist = (log-.*\.txt|debug-.*\.txt)
props.conf
[source::.../tmp/debug...txt]
sourcetype = debug
TRANSFORMS-index = choose_debug_index
[source::.../tmp/log...txt]
sourcetype = log
TRANSFORMS-index = choose_log_index
transforms.conf
[choose_debug_index]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = debugtest
[choose_log_index]
SOURCE_KEY = _raw
REGEX = .*
DEST_KEY = _MetaData:Index
FORMAT = logtest
NOTE: The names of the indexes and transforms stanzas above can be changed to what suits your needs.
Hope that helps.
this format gets me close, but i dont understand how to adapt all this to my input data.
I dont understand alot of what you put in here or mean for me to replace, some is obvious, other parts are not.
I'm using a Windows SPLUNK instance, and so do I need to escape all these caharacters?
some stuff in here isnot anything i have ever seen.
{chhose log/debug index}, etc...
can you explain it more? perhaps use a sample of my data from above for your example?
there is a way to show code in an Answers posting. The "code" button in the input editor (looks like "101-010" will make anything you type in literal. There should also be a help link somewhere to the formatting codes so you can type them directly (it is in Markdown), but some fail has removed it.
Usually, when I want to check that some data that I set to be indexed is present, I am as loose as possible with my search terms.
Typically, I will search over all time for :
index=* OR index=_* <TERM>
...where
is a string (unique, if possible) naturally delimited in the source by delimiters such as white spaces, colons, slashes, etc.
Oh and there's no reason to feel dumb.
I get no results. 😞
You can search with just the index specified. The search will return all events in the index (constrained by your time range selection).
What about with just the index specified, no other strings to filter.
Here's the likely reason:
index = vmware_view_brokers
The summary app and by default your role will only search index=main by default. Simply add:
index=vmware_view_brokers
to your search and you should see the data just fine
You can change the default role that is searched under Manager> User Roles > your role.
system quarantineFutureSecs = 2592000
system quarantinePastSecs = 77760000
system rawChunkSizeBytes = 131072
system rotatePeriodInSecs = 60
system serviceMetaPeriod = 25
system suppressBannerList =
system sync = 0
system syncMeta = true
search thawedPath = $SPLUNK_DB\vmware_view_brokers\thaweddb
system throttleCheckPeriod = 15
system indexThreads = auto
system maxBloomBackfillBucketAge = 30d
system maxConcurrentOptimizes = 3
system maxDataSize = auto
system maxHotBuckets = 3
system maxHotIdleSecs = 0
system maxHotSpanSecs = 7776000
system maxMemMB = 5
system maxMetaEntries = 1000000
system maxRunningProcessGroups = 20
system maxRunningProcessGroupsLowPriority = 1
system maxTotalDataSizeMB = 500000
system maxWarmDBCount = 300
system memPoolMB = auto
system minRawFileSyncSecs = disable
system partialServiceMetaPeriod = 0
C:\Program Files\Splunk\bin>btool indexes list --debug vmware_view_brokers
search [vmware_view_brokers]
system assureUTF8 = false
system blockSignSize = 0
system blockSignatureDatabase = _blocksignature
search coldPath = $SPLUNK_DB\vmware_view_brokers\colddb
system coldToFrozenDir =
system coldToFrozenScript =
system compressRawdata = true
system defaultDatabase = main
system enableOnlineBucketRepair = true
system enableRealtimeSearch = true
system frozenTimePeriodInSecs = 188697600
search homePath = $SPLUNK_DB\vmware_view_brokers\db
so i just run this command?
Hmm, this might take some more investigating. What's the output of:
./splunk bin splunk cmd btool indexes list --debug vmware_view_brokers
Alternatively, if you have access to the IRC channel you could pop in there, then we could look deeper and then update this Question with the outcome.
I think this might be the problem..
In the indexes section, the vmware_view_brokers index is only at 1MB and EVENT COUNT is 0, and the rest is N/A.
argh.
also make sure the indexes are actually created.
so, i did that...
index="vmware_view_brokers" WARN
and i dont find any occurance of WARN
how can i make the default index the brokers index? i plan to use splunk for nothign else but watching brokers.
Here is a sample of a few...
[monitor://\XXX-vdi-csa01\c$\Documents and Settings\All Users\Application Data\VMware\VDM\logs]
disabled = false
followTail = 1
host = XXX-VDI-CSA01_DEBUG-LOG
sourcetype = vmware_view_connection_broker_debug_log
index = vmware_view_brokers
blacklist = log-.txt
whitelist = debug-.txt
[monitor://\XXX-vdi-csb01\c$\Documents and Settings\All Users\Application Data\VMware\VDM\logs]
disabled = false
followTail = 1
host = XXX-VDI-CSB01_LOG
sourcetype = vmware_view_connection_server_log
index = vmware_view_brokers
blacklist = debug-.txt
whitelist = log-.txt
Could you post the relevant stanza from inputs.conf? Are you sending the data to an index you're then not searching for?