|
I created 8 data inputs, each one is supposed to tail log files mathing a certain whitelist regex. These inputs see the files (my preview worked and i see the # of files in the data inputs page. The Application im using for the inputs is SEARCH. When I go to the SEARCH app, I type a word I KNOW is in the logs, and I get nothing. I type * and I get nothing. I'm clearly missing something basic. This wasn't this hard when i did this a few years ago. |
|
Usually, when I want to check that some data that I set to be indexed is present, I am as loose as possible with my search terms. Typically, I will search over all time for : ...where Oh and there's no reason to feel dumb. What about with just the index specified, no other strings to filter.
(07 Feb, 17:56)
mikelanghorst
You can search with just the index specified. The search will return all events in the index (constrained by your time range selection).
(07 Feb, 21:55)
lguinn ♦
I get no results. :(
(08 Feb, 06:39)
lennyburns
|
|
Here's the likely reason: index = vmware_view_brokers The summary app and by default your role will only search index=main by default. Simply add: index=vmware_view_brokers to your search and you should see the data just fine You can change the default role that is searched under Manager> User Roles > your role. how can i make the default index the brokers index? i plan to use splunk for nothign else but watching brokers.
(07 Feb, 17:05)
lennyburns
so, i did that... index="vmware_view_brokers" WARN and i dont find any occurance of WARN
(07 Feb, 17:06)
lennyburns
also make sure the indexes are actually created.
(07 Feb, 19:56)
gkanapathy ♦
I think this might be the problem.. In the indexes section, the vmware_view_brokers index is only at 1MB and EVENT COUNT is 0, and the rest is N/A. argh.
(08 Feb, 08:26)
lennyburns
Hmm, this might take some more investigating. What's the output of: ./splunk bin splunk cmd btool indexes list --debug vmware_view_brokers Alternatively, if you have access to the IRC channel you could pop in there, then we could look deeper and then update this Question with the outcome.
(08 Feb, 09:26)
mikelanghorst
so i just run this command?
(08 Feb, 10:35)
lennyburns
C:Program FilesSplunkbin>btool indexes list --debug vmware_view_brokers search [vmware_view_brokers] system assureUTF8 = false system blockSignSize = 0 system blockSignatureDatabase = _blocksignature search coldPath = $SPLUNK_DBvmware_view_brokerscolddb system coldToFrozenDir = system coldToFrozenScript = system compressRawdata = true system defaultDatabase = main system enableOnlineBucketRepair = true system enableRealtimeSearch = true system frozenTimePeriodInSecs = 188697600 search homePath = $SPLUNK_DBvmware_view_brokersdb
(08 Feb, 10:45)
lennyburns
system indexThreads = auto system maxBloomBackfillBucketAge = 30d system maxConcurrentOptimizes = 3 system maxDataSize = auto system maxHotBuckets = 3 system maxHotIdleSecs = 0 system maxHotSpanSecs = 7776000 system maxMemMB = 5 system maxMetaEntries = 1000000 system maxRunningProcessGroups = 20 system maxRunningProcessGroupsLowPriority = 1 system maxTotalDataSizeMB = 500000 system maxWarmDBCount = 300 system memPoolMB = auto system minRawFileSyncSecs = disable system partialServiceMetaPeriod = 0
(08 Feb, 10:46)
lennyburns
system quarantineFutureSecs = 2592000 system quarantinePastSecs = 77760000 system rawChunkSizeBytes = 131072 system rotatePeriodInSecs = 60 system serviceMetaPeriod = 25 system suppressBannerList = system sync = 0 system syncMeta = true search thawedPath = $SPLUNK_DBvmware_view_brokersthaweddb system throttleCheckPeriod = 15
(08 Feb, 10:46)
lennyburns
showing 5 of 9
show 4 more comments ▼
|
|
Ok, after trying to figure out why the wildcard "*" wouldn't work in your inputs.conf, it was determined that it can't be used in the Splunk data preview or the stanza in inputs.conf.
EX:[monitor:///Users/username/Desktop/tmp/ With that said, I had to create these configurations to get it to work: inputs.conf
[monitor:///Users/username/Desktop/tmp] <---location of debug.txt and log.txt logs
whitelist = props.conf [source::.../tmp/debug...txt] sourcetype = debug TRANSFORMS-index = choose_debug_index [source::.../tmp/log...txt] sourcetype = log TRANSFORMS-index = choose_log_index transforms.conf [choose_debug_index] SOURCE_KEY = _raw REGEX = .* DEST_KEY = _MetaData:Index FORMAT = debugtest [choose_log_index] SOURCE_KEY = _raw REGEX = .* DEST_KEY = _MetaData:Index FORMAT = logtest NOTE: The names of the indexes and transforms stanzas above can be changed to what suits your needs. Hope that helps. there is a way to show code in an Answers posting. The "code" button in the input editor (looks like "101-010" will make anything you type in literal. There should also be a help link somewhere to the formatting codes so you can type them directly (it is in Markdown), but some fail has removed it.
(09 Feb, 15:42)
gkanapathy ♦
this format gets me close, but i dont understand how to adapt all this to my input data. I dont understand alot of what you put in here or mean for me to replace, some is obvious, other parts are not. I'm using a Windows SPLUNK instance, and so do I need to escape all these caharacters? some stuff in here isnot anything i have ever seen. {chhose log/debug index}, etc... can you explain it more? perhaps use a sample of my data from above for your example?
(10 Feb, 06:45)
lennyburns
|
Could you post the relevant stanza from inputs.conf? Are you sending the data to an index you're then not searching for?
Here is a sample of a few...
[monitor://\XXX-vdi-csa01c$Documents and SettingsAll UsersApplication DataVMwareVDMlogs] disabled = false followTail = 1 host = XXX-VDI-CSA01_DEBUG-LOG sourcetype = vmware_view_connection_broker_debug_log index = vmware_view_brokers blacklist = log-.txt whitelist = debug-.txt
[monitor://\XXX-vdi-csb01c$Documents and SettingsAll UsersApplication DataVMwareVDMlogs] disabled = false followTail = 1 host = XXX-VDI-CSB01_LOG sourcetype = vmware_view_connection_server_log index = vmware_view_brokers blacklist = debug-.txt whitelist = log-.txt