Installed a heavy forwarder on an instance to ingest exported data from our old SIEM, and needed props set on the data so I don't have to bounce my indexers. I got 2 of my 14 gb files w/out issue, and have the correct fields assigned to them. I've added new files to the directories being monitored, and they're not being ingested. The files are seen by splunk list monitor, and the REST page
(services/admin/inputstatus/TailingProcessor:FileStatus) shows the two files that were ingested as:
/splunk/Splunk/IIS/172.30.59.32/IIS_10_16_results_172.30.59.32.txt
file position 1226615332
file size 1226615332
parent /splunk/Splunk/IIS/172.30.59.32/*.txt
percent 100.00
type finished reading
while the files that aren't being ingested look like:
/splunk/Splunk/IIS/172.30.59.32/IIS_11_16_results_172.30.59.32.txt
parent /splunk/Splunk/IIS/172.30.59.32/*.txt
type unknown (scanned)
A btool for inputs looks like:
/opt/splunk/etc/apps/iis/local/inputs.conf [monitor:///splunk/Splunk/IIS/172.30.59.32/*.txt]
/opt/splunk/etc/apps/iis/local/inputs.conf disabled = false
/opt/splunk/etc/apps/iis/local/inputs.conf host_segment = 4
/opt/splunk/etc/apps/iis/local/inputs.conf index = iis
/opt/splunk/etc/apps/iis/local/inputs.conf sourcetype = ms:iis:historic
/opt/splunk/etc/apps/iis/local/inputs.conf [monitor:///splunk/Splunk/IIS/PCWOSS01C/*.txt]
/opt/splunk/etc/apps/iis/local/inputs.conf disabled = false
/opt/splunk/etc/apps/iis/local/inputs.conf host_segment = 4
/opt/splunk/etc/apps/iis/local/inputs.conf index = iis
/opt/splunk/etc/apps/iis/local/inputs.conf sourcetype = ms:iis:historic
/opt/splunk/etc/apps/iis/local/inputs.conf [monitor:///splunk/Splunk/IIS/PCWOSS01D/*.txt]
/opt/splunk/etc/apps/iis/local/inputs.conf disabled = false
/opt/splunk/etc/apps/iis/local/inputs.conf host_segment = 4
/opt/splunk/etc/apps/iis/local/inputs.conf index = iis
/opt/splunk/etc/apps/iis/local/inputs.conf sourcetype = ms:iis:historic
And I'm seeing internal data from the HF. So I don't see how my outputs could be a problem, but here they are:
/opt/splunk/etc/system/local/outputs.conf [indexer_discovery:master1]
/opt/splunk/etc/system/local/outputs.conf master_uri = https://172.30.63.61:8089/
/opt/splunk/etc/system/local/outputs.conf pass4SymmKey = $1$seRzZzfgCPVD5mk=
/opt/splunk/etc/system/local/outputs.conf [tcpout]
/opt/splunk/etc/system/local/outputs.conf defaultGroup = group1
/opt/splunk/etc/system/local/outputs.conf forwardedindex.0.whitelist = .*
/opt/splunk/etc/system/local/outputs.conf indexAndForward = 0
/opt/splunk/etc/system/local/outputs.conf [tcpout:all_indexers]
/opt/splunk/etc/system/local/outputs.conf maxQueueSize = 500MB
/opt/splunk/etc/system/local/outputs.conf [tcpout:group1]
/opt/splunk/etc/system/local/outputs.conf autoLBFrequency = 30
/opt/splunk/etc/system/local/outputs.conf forceTimebasedAutoLB = true
/opt/splunk/etc/system/local/outputs.conf indexerDiscovery = master1
/opt/splunk/etc/system/local/outputs.conf useAck = true
↧