Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About Namdev
Namdev
Loves-to-Learn Lots
Member since:
06-02-2023
04-23-2025
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 1 |
| Karma Received | 0 |
| Member Since | 06-02-2023 |
Activity Feed
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 08:57 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 05:48 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 03:22 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-05-2025 02:39 AM
- Posted Re: SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-04-2025 11:54 PM
- Posted SplunkForwarder monitoring issue for /opt/log/<file name> on Splunk Enterprise. 03-04-2025 09:34 AM
- Posted Re: Parsing issue in distributed Environment on Getting Data In. 03-03-2025 07:37 AM
- Posted Re: Parsing issue in distributed Environment on Getting Data In. 02-23-2025 10:58 PM
- Posted Parsing issue in distributed Environment on Getting Data In. 02-23-2025 09:50 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-05-2025
08:57 AM
Cooked:tcp : tcp Raw:tcp : tcp TailingProcessor:FileStatus : $SPLUNK_HOME/etc/apps/sample_app/logs type = missing $SPLUNK_HOME/etc/splunk.version file position = 70 file size = 70 percent = 100.00 type = finished reading $SPLUNK_HOME/var/log/splunk type = directory $SPLUNK_HOME/var/log/splunk/configuration_change.log type = directory $SPLUNK_HOME/var/log/splunk/license_usage_summary.log type = directory $SPLUNK_HOME/var/log/splunk/metrics.log type = directory $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* type = directory $SPLUNK_HOME/var/log/splunk/splunkd.log type = directory $SPLUNK_HOME/var/log/watchdog/watchdog.log* type = directory $SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json type = directory $SPLUNK_HOME/var/spool/splunk/tracker.log* type = directory /opt/log/ type = directory /opt/log/cisco_ironport_web.log file position = 207575 file size = 207575 parent = /opt/log/ percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/audit.log file position = 159471 file size = 159471 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/btool.log file position = 192268 file size = 192268 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/conf.log file position = 9044 file size = 9044 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/configuration_change.log file position = 3353479 file size = 3353479 parent = $SPLUNK_HOME/var/log/splunk/configuration_change.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/first_install.log file position = 70 file size = 70 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/health.log file position = 785728 file size = 785728 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/license_usage_summary.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/license_usage_summary.log percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/mergebuckets.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log file position = 21630761 file size = 21630761 parent = $SPLUNK_HOME/var/log/splunk/metrics.log percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.1 file position = 25000026 file size = 25000026 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/metrics.log.2 file position = 25000081 file size = 25000081 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/mongod.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/remote_searches.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/scheduler.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/search_messages.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/searchhistory.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunk_instrumentation_cloud.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log* percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd-utility.log file position = 69012 file size = 69012 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd.log file position = 12378562 file size = 12378562 parent = $SPLUNK_HOME/var/log/splunk/splunkd.log percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_access.log file position = 44571 file size = 44571 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = open file /opt/splunkforwarder/var/log/splunk/splunkd_stderr.log file position = 200 file size = 200 parent = $SPLUNK_HOME/var/log/splunk percent = 100.00 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_stdout.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/splunkd_ui_access.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/splunk/wlm_monitor.log file position = 0 file size = 0 parent = $SPLUNK_HOME/var/log/splunk percent = 100 type = finished reading /opt/splunkforwarder/var/log/watchdog/watchdog.log file position = 12202 file size = 12202 parent = $SPLUNK_HOME/var/log/watchdog/watchdog.log* percent = 100.00 type = finished reading tcp_cooked:listenerports : 8089
... View more
03-05-2025
05:48 AM
I checked by using this command but no luck , kindly find my logs root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt#
... View more
03-05-2025
03:22 AM
I am using Splunk trial license, I have checked permissions and it is not a permission issue
... View more
03-05-2025
02:39 AM
NO logs on Search head
... View more
03-04-2025
11:54 PM
Hey Buddy , No luck with your command, kindly find logs below : root@hf2:/opt# ps aux | grep /opt/log/ root 3152 0.0 0.0 9276 2304 pts/2 S+ 13:17 0:00 grep --color=auto /opt/log/ root@hf2:/opt# ls -l /opt/log/ total 204 -rw-r-xr--+ 1 root root 207575 Feb 19 11:12 cisco_ironport_web.log root@hf2:/opt# SplunkD Logs for your refernecne : 03-04-2025 22:23:55.770 +0530 INFO TailingProcessor [32908 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:29:34.873 +0530 INFO TailingProcessor [33197 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:39:22.449 +0530 INFO TailingProcessor [33712 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:44:59.341 +0530 INFO TailingProcessor [33979 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-04-2025 22:54:52.366 +0530 INFO TailingProcessor [34246 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/cisco_ironport_web.log. 03-05-2025 12:35:53.768 +0530 INFO TailingProcessor [2117 MainTailingThread] - Adding watch on path: /opt/log/cisco_ironport_web.log. 03-05-2025 13:07:00.440 +0530 INFO TailingProcessor [2920 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:16:28.483 +0530 INFO TailingProcessor [3132 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. 03-05-2025 13:18:26.876 +0530 INFO TailingProcessor [3339 MainTailingThread] - Parsing configuration stanza: monitor:///opt/log/. root@hf2:/opt#
... View more
03-04-2025
09:34 AM
Hello team, In my distributed Splunk lab created on VMware client virtual machine, facing the below issues. Distributed environment consists of below components with Splunk free licences - 4 Indexers (part of an Indexer Cluster) - 1 Cluster Manager (for managing the indexer cluster) - 2 Universal Forwarders (UFs) sending data - 1 DS/LM/MC (Deployment Server + License Manager + Monitoring Console combined on one server) - 1 Search Head (for searching and dashboards) I am facing an issue to enable Splunk monitoring for /opt/log directory. I have checked that /var/log can be monitored successfully whereas Splunk forwarder is failed to monitor /opt/log directory. I have checked permission issue other things but no luck
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
03-03-2025
07:37 AM
I have tried this option, no luck. Can we have a call to discuss this ?
... View more
02-23-2025
10:58 PM
Yes, I tried using the app option also checked with the _cluster option where I placed the props.conf and transforms.conf files, and distributed them among the peers.
... View more
02-23-2025
09:50 PM
Hello Team,parsing issue I have built a distributed Splunk lab using a trial license. The lab consists of three indexers, one cluster manager, one search head, one instance serving as the Monitoring Console (MC), Deployment Server (DS), and License Manager (LM), along with two Universal Forwarders. The forwarder is monitoring the /opt/log/routerlog directory, where I have placed two log files: cisco_ironport_web.log and cisco_ironport_mail.log. The logs are successfully forwarded to the indexers and then to the search head. However, log parsing is not happening as expected. I have applied the same configuration of props.conf and transforms.conf on both the indexer cluster and the search head. props.conf and transforms.conf file paths : indexer path : /opt/splunk/etc/peer-apps/_cluster/local Search head path : /opt/splunk/etc/apps/search/local configuration of props.conf and transforms.conf : transforms.conf : [extract_fields] REGEX = ^(?P<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})\s+(?P<src_ip>\d+\.\d+\.\d+\.\d+)\s+(?P<email>\S+@\S+)\s+(?P<domain>\S+)\s+(?P<url>\S+) FORMAT = timestamp::$1 src_ip::$2 email::$3 domain::$4 url::$5 props.conf : [custom_logs] SHOULD_LINEMERGE = false TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S MAX_TIMESTAMP_LOOKAHEAD = 19 TRANSFORMS-extract_fields = extract_fields
... View more
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-23-2025
11:50 PM
|
