Why is the input.conf monitor stanza is not workin...

sagar_shubham23 · ‎05-05-2023

Hi Team,

I have created an app in DS that has inputs.conf with monitor stanza ( to monitor .trc file). I have created a server class and mapped the App with the client. Now, no data is getting indexed. No internal logs are generated for this configuration.

I have checked the file path and permission is correct.

Kindly suggest what steps should I follow to troubleshoot this from UF server side.

Thanks

enzomialich · ‎05-06-2023

If there's no internal logs received by the FW there's no data being forwaded.

0. In the forwarder management page, check the last time the app was deployed (this image is from the docs).

1. You said that you deployed the inputs.conf file for that app, the outputs.conf that points the fw to the idx is configured?

2. Also, when deploying apps with configuration files updates that requires restart. Ensure that you checked the restart splunkd box when deploy apps. Same thing with the enable app checkbox.

3. I would try to deploy the inputs.conf manually to see if the problem is with the app itself.

4. Run btool command followed by the show config to see what is on disk and what is on memory (run both commands on the client) if there's any difference, restart splunkd.

Hope that helps.

richgalloway · ‎05-05-2023

Do the UF's logs confirm it downloaded the app? Did the UF restart afterwards? It won't process the new input until after restart. Use btool on the UF to confirm the input is configured and the splunk list monitor command to verify the file is being monitored.

---
If this reply helps you, Karma would be appreciated.

Why is the input.conf monitor stanza is not working even if the file is available in the UF server?

inputs.conf

monitor

universal forwarder

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability