Searching the fish bucket

mvangamf · ‎05-31-2016

Indexing server.log and boot.log files using the following stanzas for both:
[monitor:///opt/directory/logs/servername/boot.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

[monitor:///opt/directory/logs/servername/server.log]
disabled = false
index = rate
sourcetype = serverlog
blacklist = .gz$

The behavior is inconsistent where sometime both files are indexed and cases where only one file is. Is there a specific place (e.g. fishbucket) that I can search to see what got indexed or refused and why (any error messages)?

shaskell_splunk · ‎05-31-2016

You can try looking at the status of the TailingProcessor which handles file monitor inputs.

https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus

Here's a Splunk Wiki page on troubleshooting monitor inputs.

https://wiki.splunk.com/Community:Troubleshooting_Monitor_Inputs

Hope those help!

mvangamf · ‎06-01-2016

Reviewed status of the TailingProcessor on a few hosts and again, the behavior is inconsistent. On one host, the file was read but nothing shows up in the search head (within last 7 days). On another host, only one of the 2 stanzas was used for file comparison and indicated that there was no match so file was not read.

Searching the fish bucket

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?