universal forwarder not forwarding all the files t...

lakshman237 · ‎12-14-2012

I had the stanza in inputs.conf in the universal forwarder as:
[monitor:///my/logs/project]
blacklist = .(gz)$
whitelist = (xyz_debug_ms[1-4]{1}.txt|app1_ms[1-4]{1}.txt|\
app2sos_ms[1-2]{1}.log|system_ms.log\
remoteserver.log)
sourcetype = mylogs
index = my index

After restart, the forwarder showed only a few files in "splunk list monitor" and only those files were sent to indexer for search. I then removed "\" and create two stanza, with same monitor:: line, with a few files in whitelist in the first stanza and the remaining in the second stanza.

After restart, the forwarder is not showing the files which it had shown earlier in the list monitor. how to ensure all the files can be monitored and send to indexer?

itinney · ‎12-14-2012

Your blacklist should probably be:

blacklist = \.gz$

I believe your whitelist is missing a pipe symbol between the last two file specs, it should probably be:

whitelist = (xyz_debug_ms[1-4]{1}.txt|app1_ms[1-4]{1}.txt|app2sos_ms[1-2]{1}.log|system_ms.log|remoteserver.log)

When you say you then created two stanza, can you include them so we can see what they look like? You should not have overlapping monitor stanzas.

lakshman237 · ‎12-14-2012

The pipe was missed when I posted the query, however it's present in my config spec. Any other possibilities?

Also, does splunk not allow to 2 or more stanza with the same monitor line, eg. monitor::/var/log monitor::/var/log with different files in the whitelist?

universal forwarder not forwarding all the files to indexer

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases