Refine your search:

Follow event from source forwarder to indexer; how to troubleshoot a missing sourcetype

1
1

I just set up a new splunk forwarder on a linux host. One of the inputs is a monitor of the /var/log/messages file. I have a crontab entry to write some disk information to this messages file. I am unable to find these events being indexed on the indexer.

The forwarder is able to forward other events. I have a similar monitor set up to watch the /var/log/maillog file, and I find these events on the other side, being indexed. Other sorts of events are coming in. I restarted splunk on the forwarder and checked the startup events in the splunkd log. I see an entry where it says that it has begun to tail the /var/log/messages file.

Does anybody have an idea why this particular sourcetype isn't being indexed? What else can I do to follow this sourcetype onto the indexer? Is there any particular error I should look for to explain why this sourcetype isn't being indexed?

asked 16 Jul '10, 18:46

muebel's gravatar image

muebel ♦
1.0k1117
accept rate: 40%

How do you know you are missing an entire sourcetype and not just a single source (/var/log/messages)? Have you tried inserting a unique message string into your log file (perhaps via logger) and then searched for it across all time (just in case you have a timestamping issue)? (This should also show you if events are being timestamped with a future date, for example as well as search across source/sourcetype/host boundaries)

(16 Jul '10, 18:57) Lowell ♦

There is a unique string in the events I am logging. I searched for that string across all time and was unable to find any events. There are no events being indexed from the /var/log/messages source. Other things are being logged there beyond my disk checking entry, and I cannot find these other things.

(16 Jul '10, 19:14) muebel ♦
One Answer:
oldestnewestmost voted
0

The first guess would be that data is not being read from the file. You can falsify this by turning on local indexing on the forwarder, or by reviewing metrics.log per_source_thruput on the forwarder. Alternatively you could inveestigate what's going on with the file input code, by searching _internal for the filename, or by enabling more debugging info: http://www.splunk.com/wiki/Community:Troubleshooting_Monitor_Inputs

Be sure that other data categories are still being sent from the forwarder, to eliminate a general communication problem.

link

answered 16 Jul '10, 21:06

jrodman's gravatar image

jrodman ♦
5.8k2515
accept rate: 42%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,089
×404
×311
×100
×30

Asked: 16 Jul '10, 18:46

Seen: 722 times

Last updated: 16 Jul '10, 21:06

Related questions

Troubleshooting forwarder -> indexer connection

sourcetype from universal forwarder to splunk indexer

Should I include indexer's 3rd party cert AND private key in forwarder configuration

can a universal forwarder serve as a relay between another forwarder and the indexer?

What is the forwarder to indexer compatibility matrix?

App to monitor forwarder -> indexer connection?

What happens to my events at Splunk Light Forwarder when the Indexer goes down?

Copyright © 2005-2012 Splunk, Inc. All rights reserved.