Re: Universal Forwarder is not reading the log fil...

iamsplunker · ‎11-11-2023

Hello Splunkers,

I have an issue with the UF file monitoring where the input is not being monitored/ not forwarding the events to splunk. I do not have access to the server to run the btool.

[monitor:///opt/BA/forceAutomation/workuser.ABD/output/event_circuit.ABD.*]
sourcetype = banana
_meta=Appid::APP-1234 DataClassification::Unclassified
index = test
disabled = 0
crcSalt = <SOURCE>
ignoreOlderThan = 7d

The host(s) are sending _internal logs to Splunk, Here is the info I see in splunkd.log no errors, I tried the wildcard (*) in the monitoring stanza at the end after /output dir however it didn't work

TailingProcessor [ MainTailingThread] - Parsing configuration stanza: monitor :///opt/BA/forceAutomation/workuser.ABD/output/event_circuit.ABD.*

Actual log file

-rw-r--r--1 automat autouser 6184 Oct 8 00:00 event_circuit.ABD.11082023

SanjayReddy · ‎11-11-2023

Hi @iamsplunker

from inputs.conf and log file last modified, there is an issue I see

as log file modified last month and in inputs.conf you mentioned ignoreOlderThan = 7d

Splunk will ignore log files which are modified more than 7 days ago.

I would suggest comment ignoreOlderThan = 7d for first time and restart splunkd ,

once splunk reads older file then you can comment again.

iamsplunker · ‎11-11-2023

@SanjayReddy Thanks for your response, I just mentioned the log format. Actually the log file is recent, new file will be generated everyday filename.<date>
I updated my post as well.

Universal Forwarder is not reading the log files

inputs.conf

Linux

universal forwarder

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio