|
I'm having a problem getting Splunk to monitor an active IIS log. When I look at the SplunkD log, I see the following errors: 05-17-2012 16:55:52.503 -0400 WARN FileClassifierManager - The file 'D:LOGSMSFTPSVC1ex120517.log' is invalid. Reason: binary 05-17-2012 16:55:52.503 -0400 INFO TailingProcessor - Ignoring file 'D:LOGSMSFTPSVC1ex120517.log' due to: binary When I open the log file, I see normal text, however there is a bunch of white space at the bottom of the file. I assume this has to due with IIS still writing to the file. How can I get Splunk to read this active log file so we can get real-time data? |
|
In props.conf, put This assumes that the "offending" file has a sourcetype that starts with iis. Feel free to substitute a source specification instead of the sourcetype. I saw that as a possible solution on the Wiki and I tried to implement it....but it didn't seem to work for me. This server has a Universal forwarder installed and didn't have a props.conf file by default. I created one for my source type and added the no binary check, but I got the same result.
(17 May '12, 15:10)
jchampagne
Where did you put the props.conf? On the UF or on the indexer?
(17 May '12, 19:13)
lguinn ♦
Also, have you tried running btool on the forwarder - $ cd /opt/splunkforwarder # or wherever you installed splunk $ ./splunk btool props list iis --debug or just $ ./splunk btool props list --debug | more
(17 May '12, 19:24)
lguinn ♦
|
