cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Namdev
Loves-to-Learn Lots
Member since: ‎06-02-2023
‎03-05-2025
Community Statistics
Posts 9
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎06-02-2023
Activity Feed
View All

Re: SplunkForwarder monitoring issue for /opt/log/...

by in Splunk Enterprise
‎03-05-2025 08:57 AM
‎03-05-2025 08:57 AM
Cooked:tcp : tcp Raw:tcp : tcp TailingProcessor:FileStatus : $SPLUNK_HOME/etc/apps/sample_app/logs type = missing $SPLUNK_HOME/etc/splunk.version file position = 70 file size = 70 percent = 100.00 type = finished reading $SPLUNK_HOME/var/log/splunk type = directory $SPLUNK_HOME/var/log/splunk/configuration_change.log type = directory $SPLUNK_HOME/var/log/splunk/license_usage_summary.log type = directory $SPLUNK_HOME/var/log/splunk/metrics.log type = directory $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* type = directory $SPLUNK_HOME/var/log/splunk/splunkd.log type = directory $SPLUNK_HOME/var/log/watchdog/watchdog.log* type = directory $SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json type = directory $SPLUNK_HOME/var/spool/splunk/tracker.log* type = directory /opt/log/ type = directory /opt/log/cisco_ironport_web.log file position = 207575 file size = 207575 parent = /opt/log/ percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/audit.log file position = 159471 file size = 159471 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/btool.log file position = 192268 file size = 192268 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/conf.log file position = 9044 file size = 9044 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/configuration_change.log file position = 3353479 file size = 3353479 parent = $SPLUNK_HOME/var/log/splunk/configuration_change.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/first_install.log file position = 70 file size = 70 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/health.log file position = 785728 file size = 785728 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage_summary.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/license_usage_summary.log percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/mergebuckets.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log file position = 21630761 file size = 21630761 parent = $SPLUNK_HOME/var/log/splunk/metrics.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.1 file position = 25000026 file size = 25000026 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.2 file position = 25000081 file size = 25000081 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/mongod.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/remote_searches.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/scheduler.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/search_messages.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/searchhistory.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunk_instrumentation_cloud.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd-utility.log file position = 69012 file size = 69012 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd.log file position = 12378562 file size = 12378562 parent = $SPLUNK_HOME/var/log/splunk/splunkd.log percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_access.log file position = 44571 file size = 44571 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_stderr.log file position = 200 file size = 200 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_stdout.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_ui_access.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/wlm_monitor.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/watchdog/watchdog.log file position = 12202 file size = 12202 parent = $SPLUNK_HOME/var/log/watchdog/watchdog.log* percent = 100.00 type = finished reading tcp_cooked:listenerports : 8089   ... View more

Re: SplunkForwarder monitoring issue for /opt/log/...

by in Splunk Enterprise
‎03-05-2025 05:48 AM
‎03-05-2025 05:48 AM
I checked by using this command but no luck , kindly find my logs    root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt# ... View more

Re: SplunkForwarder monitoring issue for /opt/log/...

by in Splunk Enterprise
‎03-05-2025 03:22 AM
‎03-05-2025 03:22 AM
I am using Splunk trial license, I have checked permissions and it is not a permission issue   ... View more

Re: SplunkForwarder monitoring issue for /opt/log/...

by in Splunk Enterprise
‎03-05-2025 02:39 AM
‎03-05-2025 02:39 AM
NO logs on Search head  ... View more

Re: SplunkForwarder monitoring issue for /opt/log/...

by in Splunk Enterprise
‎03-04-2025 11:54 PM
‎03-04-2025 11:54 PM
Hey Buddy , No luck with your command, kindly find logs below :  root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt# ... View more

SplunkForwarder monitoring issue for /opt/log/<fil...

by in Splunk Enterprise
‎03-04-2025 09:34 AM
‎03-04-2025 09:34 AM
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues.  Distributed environment consists of below components with Splunk free  licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards)    I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck  ... View more

Re: Parsing issue in distributed Environment

by in Getting Data In
‎03-03-2025 07:37 AM
‎03-03-2025 07:37 AM
I have tried this option, no luck. Can we have a call to discuss this ? ... View more

Re: Parsing issue in distributed Environment

by in Getting Data In
‎02-23-2025 10:58 PM
‎02-23-2025 10:58 PM
Yes, I  tried using the app option also checked with the _cluster option where I placed the props.conf and transforms.conf files, and distributed them among the peers. ... View more

Parsing issue in distributed Environment

by in Getting Data In
‎02-23-2025 09:50 PM
‎02-23-2025 09:50 PM
Hello Team,parsing issue   I have built a distributed Splunk lab using a trial license. The lab consists of three indexers, one cluster manager, one search head, one instance serving as the Monitoring Console (MC), Deployment Server (DS), and License Manager (LM), along with two Universal Forwarders. The forwarder is monitoring the /opt/log/routerlog directory, where I have placed two log files: cisco_ironport_web.log and cisco_ironport_mail.log. The logs are successfully forwarded to the indexers and then to the search head. However, log parsing is not happening as expected. I have applied the same configuration of props.conf and transforms.conf on both the indexer cluster and the search head.   props.conf and transforms.conf file paths : indexer path : /opt/splunk/etc/peer-apps/_cluster/local Search head  path : /opt/splunk/etc/apps/search/local   configuration of props.conf and transforms.conf :   transforms.conf : [extract_fields] REGEX = ^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(?P<src_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<email>\S+@\S+)\s+(?P<domain>\S+)\s+(?P<url>\S+) FORMAT = timestamp::$1 src_ip::$2 email::$3 domain::$4 url::$5   props.conf : [custom_logs] SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 TRANSFORMS-extract_fields = extract_fields     ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-05-2025 12:54 PM
Top