Hello @thesplunkmonkey sorry to answer you until now!
Let me answer your questions:
1. If that's a typo in the actual inputs.conf file, that could be an issue.
A.- hehe yes I typed wrong
2. Did you also either restart the UF or ensure that the inputs configs are reloaded?
A.- Yes, After a Changed the inputs I restarted the splunk
3. Are you dropping the files on a server running a UF, on an HF, or on an indexer directly?
A.- I'm using a Splunk Enterprise with the 60 days trial. Search Head and Indexer in the same intallation
4.- The first 256 bytes of the file are used by splunk to determine of the file it's reading is a match to a file it's already indexed. I know you say that the data is different in the reports, but do they perhaps have the same header on the report that is long enough that the first 256 bytes of the file are all the same, and therefore splunk is ignoring it because it already matches what it's got for a file in it's fishbucket?
A. Yes they have the same header well in this case the same structure, but it suppose that splunk can index anything and everything every time? How can I change this 256 bytes?
5.- Have you checked your date/time values on the reports to ensure that they are correct, the timezone is correct, etc? If that's wrong, you could be seeing your data indexed either in the past or the future, and outside of your expected search date/time range which may make it appear to be missing.
A.- Yes, the file that I upload I check the date that is suppose to be, but if not, in the Timeline I specify all time to check if there is the data in another date, but no! It doesn't appear any data.
The thing That I'm doing to solve this problem is to uninstall and install again the splunk, but imagine how can I fix this issue if this goes to production and the data is not indexing in of all the different sources.
I attach you some screenshots of the reports that I'm uploading to the inputs.conf
As I told you, we use different paths, because the data that each txt file has is different and we need to differentiate them with the source, even when the structure of the data is the same:
Here are the screnshots of the txt files with the path of each one
[default] host = MX-AIPHS-01
[monitor:///data01/reportes-splunk/racf-commands]
disabled = 0 index = racf sourcetype =
Zsecure2
[monitor:///data01/reportes-splunk/racf-resource]
disabled = 0 index = racf sourcetype =
Zsecure2
I didn't upload more sample because the post didn't let me, but all the txt files have the same structure.
... View more