Re: Why am I not seeing the events for a file?

sekhar463 · ‎01-31-2023

Hi All,

i have added an input to ingest one file into splunk from deployment server

i have created new app and created inputs file as below

but logs are not coming for this

shivanshu1593 · ‎02-07-2023

In the app configuration under Forwarder Management, have you selected "Restart Splunkd" option? Configurations will come into place once splunkd is restarted on the servers where this app is being deployed. Select the option if you haven't already and reload the server class using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" (Remove double quotes and replace $SPLUNK_HOME with your environment variable). Once the forwarders phone home to the DS, they will pick this app again and restart Splunkd on the servers.

Also, please check if there are any error messages using the following search by substituting the name of the servers that are supposed to send logs. Also, you can confirm if these servers are actually phoning home to your deployment server or not. The last thing to check once its ensured that the servers are phoning home to DS, app is deployed to the server and splunkd has been restarted on them would be to check if the user which was used to install Splunk UFs on the servers has enough privileges to read the logs.

index=_internal host=<host_name> log_level IN ("ERROR", "WARN")

++IF it helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

sekhar463 · ‎02-07-2023

#cat inputs.conf
[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0

gcusello · ‎02-07-2023

Hi @sekhar463,

are you sxure that this is the /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file?

because in the error message are listed errors at rows 5,6 and 7 but you have only 4 rows.

Is there something else after the dispalyed rows?

Ciao.

Giuseppe

sekhar463 · ‎02-07-2023

nothing was there

yes the file in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf file

gcusello · ‎02-07-2023

Hi @sekhar463,

one additional question, is the app correctly deployed to the clients and sending logs?

Ciao.

Giuseppe

sekhar463 · ‎02-07-2023

yes it was deployed for one client but not getting logs

gcusello · ‎02-07-2023

Hi @sekhar463,

are there logs to ingest at the location you ha in inputs.conf?

are you receiving internal ot other logs from that server?

Ciao.

Giuseppe

sekhar463 · ‎02-08-2023

yes receiving internal logs as well

but didnt get the logs from the file.

sekhar463 · ‎02-07-2023

[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = 0

gcusello · ‎01-31-2023

Hi @sekhar463,

let me understand:

you created an app,
this appa contains the inputs.conf you shared,
you deployed the app using the deploymrnt server to a client,
you're not receiving logs from that client,

is it correct?

if yes, at first check if you're receiving logs from that client using a simple search:

index=_internal host=<your_host>

if you have results connection is established otherwise, you have to check your connection.

If connection is established you hav eto debug your inputs.conf, one question:

/harvest/netapp/cloudsecure/agent-logs is a folder or a filename?

if, as I suppose, it's a folder, you have to add to the filename in the inputs.conf stanza, so if you want to take all the *.log files, you have to use:

[monitor:///harvest/netapp/cloudsecure/agent-logs/*.log]
index = ivz_unix_linux_events
sourcetype = netapp:cloudsecure:agentlog
disabled = false

or using whitelist.

Ciao.

Giuseppe

sekhar463 · ‎02-07-2023

i have ingested using below but not getting logs

here are the internal logs for this file

2/7/23 1:18:01.382 PM	02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 7: checkpointInterval (value: 5).\n host = usappspdslp100 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
	2/7/23 1:18:01.382 PM	02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 6: current_only (value: 1).\n host = usappspdslp100 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd
	2/7/23 1:18:01.382 PM	02-07-2023 01:48:01.382 -0600 WARN Application - Invalid key in stanza [monitor:///harvest/netapp/cloudsecure/agent-logs/*.log] in /opt/splunk/etc/deployment-apps/splunk_netapp_agentlog/local/inputs.conf, line 5: start_from (value: oldest).\n host = usappspdslp100 source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd

gcusello · ‎02-07-2023

Hi @sekhar463,

this means that in the splunk_netapp_agentlog/local/inputs.conf file there are two errors, could you share this file?

Ciao.

Giuseppe

sekhar463 · ‎02-10-2023

its resolved as we missed app.conf file in the local

gcusello · ‎02-10-2023

Hi @sekhar463,

if one answer solves your need, please accept one answer for the other people of Community or tell us how we can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors;-)

Why am I not seeing the events for a file?

inputs.conf

Linux

monitor

universal forwarder

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!